Staff Security Engineer, Enterprise Security Operations

• Own the operational health, configuration, and continuous improvement of Aurora's enterprise security platform stack — including EDR/XDR, MDM, SIEM, DLP, IAM/IGA, DNS security, Email security, and PKI — ensuring each tool is tuned, policy-complete, and delivering reliable signal. • Develop and refine detection rules, correlation logic, and alert policies, reducing noise while ensuring Aurora maintains high-fidelity coverage against real threats. • Conduct proactive threat hunting across Aurora's security telemetry — forming hypotheses, querying logs, and investigating anomalies before they surface as incidents. • Serve as the deepest internal expert on Aurora's enterprise security tooling, acting as the escalation point for complex platform issues, misconfigurations, and detection failures. • Participate in the team's on-call rotation, leading deep-dive investigations into security alerts and incidents and driving triage, containment, and root cause analysis. • Continuously audit and validate that existing security controls are configured to actually do what they're supposed to do — not just deployed and forgotten. • Maintain operational runbooks, detection documentation, and platform configuration records, ensuring the team can operate consistently and scale institutional knowledge.

Aurora hires talented people with diverse backgrounds who are ready to help build a transportation ecosystem that will make our roads safer, get crucial goods where they need to go, and make mobility more efficient and accessible for all. We're searching for a Staff Security Engineer, Enterprise Security Operations to join our Enterprise Security Engineering team, reporting to the Technical Lead Manager of Security Engineering. This position is open to the following office locations: Mountain View, San Francisco, Seattle, Pittsburgh, Dallas, Detroit, and Phoenix. Aurora is scaling its autonomous trucking operations, and we need someone who makes our security tools actually work, not just deployed, but deeply configured, continuously tuned, and fully leveraged. This role is for the practitioner who has spent their career living inside security platforms: the person who knows their EDR better than the vendor's own support team, who can write a SIEM query from memory, and who instinctively knows when an alert is misfiring and exactly why. This is not a software engineering role. It's a role for an elite security operator — someone with the instincts of a seasoned SOC analyst and the technical depth to own the platforms that power detection, response, and protection at enterprise scale. If you find deep satisfaction in mastering a tool, closing a coverage gap, or hunting down a threat that nobody else noticed, this role was written for you. • 12+ years of hands-on experience in enterprise security operations, security platform administration, or a senior SOC engineering role — with a career built on deep operational ownership of security tooling rather than software development. • Expert-level proficiency administering and operating at least two enterprise security platforms (e.g., CrowdStrike, SentinelOne, Splunk, Panther, Sentinel, Jamf, Kandji/Iru, Puppet, WorkspaceONE, Intune, Zscaler, Okta, Proofpoint, Wiz, osquery), with strong working knowledge across several others. • Demonstrated ability to tune and optimize security platforms beyond out-of-the-box configurations — writing custom detection logic, adjusting policy sets, and validating control effectiveness. • Strong log analysis and threat hunting skills: you know how to build a hypothesis, write the query, follow the thread, and know when to escalate. • Experience conducting thorough incident investigations — triage, containment, root cause analysis, and post-incident review — and communicating findings clearly to technical and non-technical stakeholders. • Ability to assess security control effectiveness: not just "is this tool deployed" but "is it configured correctly, covering the right scope, and generating actionable signal." • Comfort working under pressure in ambiguous, fast-moving situations with competing priorities. • Scripting ability for automation, log parsing, or workflow improvement (Python, Bash, or similar) — you don't need to be a software engineer, but you can write a script when it saves you an hour. • Deep familiarity with MITRE ATT&CK as an operational tool for detection gap analysis and threat hunting hypothesis development. • Experience with AWS security telemetry (CloudTrail, GuardDuty, Security Hub) and integrating cloud signals into a corporate SIEM. • Familiarity with Zero Trust and identity-centric security models as they apply to policy enforcement in IAM and endpoint platforms. • Platform-specific certifications such as CrowdStrike Certified Falcon Administrator, Splunk Core Certified Power User, or equivalent — or practitioner certifications like GCIH, GCIA, GCFE, or GCFA. The base salary range for this position is $171,000 - $273,000 per Year . Aurora’s pay ranges are determined by role, level, and location. Within the range, the successful candidate’s starting base pay will be determined based on factors including job-related skills, experience, qualifications, relevant education or training, and market conditions. These ranges may be modified in the future. The successful candidate will also be eligible for an annual bonus, equity compensation, and benefits. Working at Aurora At Aurora, we bring together extraordinarily talented and experienced people united by the strength of our values. We operate with integrity, set outrageous goals, and build a culture where we win together — all without any jerks. We believe in-person work increases collaboration, empathy and our ability to lead effectively. As a result, we operate in a hybrid work environment where Aurorans are in office at least 3 days per week. Our Careers page provides insight into what it is like to work at Aurora, and you can find all the latest updates in our Newsroom .