Security Engineer, Detection and Response

Role Overview

As a Security Engineer (Detection & Response), you’ll help protect OpenAI’s sensitive assets—including intellectual property, customer data, and supporting infrastructure—by building and operating systems to detect suspicious activity and respond effectively.

You’ll work across endpoints, identity, cloud, hyperscale compute infrastructure, and datacenter-adjacent layers, partnering with security teams and infrastructure owners to define telemetry and response requirements, and to build automation/tooling that provides leverage.

Responsibilities

• Build and evolve Detection & Response capabilities across OpenAI’s infrastructure, products, and research environments.
• Engineer detection pipelines and tooling, including:
  • rule lifecycle management
  • measurement/quality loops (coverage, precision, latency)
  • tuning processes
  • safe rollout patterns
• Automate response and investigations via workflows that reduce toil (triage, enrichment, containment, evidence capture) and improve time-to-understand/time-to-contain.
• Partner cross-functionally with Security teams and infrastructure/system owners to ensure new systems ship with the right:
  • telemetry
  • threat models
  • response playbooks
• Define D&R requirements and drive visibility across:
  • endpoints
  • identity
  • SaaS
  • cloud
  • Kubernetes
  • identify telemetry/control gaps, prioritize them, and advocate for fixes (or implement directly when fastest/effective)
• Evaluate and respond to emergent security concerns in a frontier AI lab environment, including detections/response for agents operating across infrastructure at scale.

Requirements (You Might Thrive If)

• Hands-on experience in threat detection and/or incident response, including building detections, running investigations, and improving operational playbooks.
• Ability to understand adversary TTPs and translate them into practical detection and response strategies.
• Threat modeling mindset, able to assess failure risks and D&R implications for new systems/features.
• Experience building detections in Kubernetes/containerized environments, using cluster telemetry and understanding common failure/attack modes.
• Comfort reasoning about lower-level infrastructure and datacenter risks (e.g., firmware/BMC, network segmentation/telemetry, hard-to-observe control paths).
• Experience across major cloud platforms (Azure, AWS, GCP, OCI) and ability to design cloud-agnostic detection approaches.
• Experience building automation that replaces repetitive D&R work, potentially including agent-style workflows, while keeping outcomes measurable, auditable, and safe.
• Clear communication and strong cross-team collaboration.