Threat Detection Engineer

About Us: Here at Ambience, we never set out to be just another scribe. We’re building the AI intelligence platform that restores humanity to healthcare and drives meaningful ROI for health systems across the country. Our technology helps providers focus on delivering great care by removing the administrative burden that pulls them away from patients and away from their most impactful work. Ambience delivers real-time coding-aware documentation and clinical workflow support across ambulatory, emergency and inpatient settings at the top health systems in North America. Our teams operate relentlessly with extreme ownership to build the best solutions for our health system partners. We value candor, positivity and deep thought — and we expect a lot from each other because we know the problems we’re solving truly matter. Ambience was ranked #1 for Improving the Clinician Experience in the KLAS Research Emerging Solutions Top 20 Report, recognized by Fast Company as one of the Next Big Things in Tech, named one of the best AI companies in healthcare by Inc., and selected as a LinkedIn Top Startup in 2024 and 2025. We’re backed by Oak HC/FT, Andreessen Horowitz (a16z), OpenAI Startup Fund, and Kleiner Perkins — and we’re just getting started. THE ROLE: Ambience deploys clinical AI agents that operate in real time across the nation's largest health systems. When your product has autonomous access to infrastructure, credentials, and patient data at scale, detection and response isn't a support function, it's core to our business. You'll be our first dedicated D&R hire. You'll build the detection engineering and incident response program from scratch in a HIPAA-regulated, AI-native environment where the threat surface includes LLM-powered agents operating across infrastructure. You'll write production code, architect security data pipelines, and define what good looks like for D&R at a company where the attack surface is genuinely novel and rapidly evolving. Our engineering roles are hybrid in our SF office (3x/week). WHAT YOU’LL OWN: - Detection Engineering: Stand up a detection pipeline across our highest-risk surfaces: AWS, Kubernetes, Okta, endpoints, and SaaS tools. Author environment-tuned detections with a full rule lifecycle that produces high-signal alerting the on-call team actually trusts. - Incident Response: Build the IR program end-to-end: playbooks, escalation paths, evidence collection, post-mortems. Procedures that are documented, rehearsed, and satisfy both operational and HIPAA needs. - Security Tooling & Automation: Evaluate, deploy, and integrate the core D&R stack (SIEM, EDR, SOAR, cloud-native services). Build internal tooling and automation that reduces response time and toil. Use LLMs where they genuinely accelerate detection, triage, or investigation. - Agent Security: Detect and respond to threats unique to clinical AI systems and agentic workflows: abnormal tool access, credential abuse, data exfiltration, and novel attack patterns that don't show up in traditional threat models. WHO YOU ARE: - 5+ years in detection engineering, incident response, or a closely related security engineering role - Strong programming skills in Python, Go, or Rust. You ship production code and internal tooling, not just scripts - Deep experience with AWS (or comparable cloud) and its native security services; comfortable operating in Kubernetes environments - You've built or significantly matured a detection engineering program: authored detections, managed rule lifecycles, measured coverage and precision - You think in terms of attacker tradecraft and can translate real-world intrusion patterns into detections that matter - Solid fundamentals in networking, infrastructure security, and identity/access management - You set priorities with risk and operational impact, not just coverage checklists Bonus points if you've worked with LLMs or agent-based workflows to automate security operations, contributed to open-source security projects or published research, or built security programs at a startup where there was no playbook to follow. WHY HERE: This isn't a D&R role where you're tuning someone else's detections inside a mature SOC. You're building the function. You'll define what we detect, how we respond, and what tooling we invest in. Small team, high trust, direct access to leadership. The systems you build determine whether we can operate inside the most demanding health systems in the country. Pay Transparency We offer a base compensation range of approximately $200,000–$250,000 per year, along with meaningful equity. This intentionally broad range provides flexibility for candidates to tailor their cash and equity mix based on individual preferences. Our compensation philosophy prioritizes meaningful equity grants, enabling team members to share directly in the impact they help create. If your expectations fall outside of this range, we still enco