Detection Engineer

Passionate about precision medicine and advancing the healthcare industry?

Recent advancements in underlying technology have finally made it possible for AI to impact clinical care in a meaningful way. Tempus' proprietary platform connects an entire ecosystem of real-world evidence to deliver real-time, actionable insights to physicians, providing critical information about the right treatments for the right patients, at the right time.

**About our teams:** With a mission to use data and AI to power precision medicine and improve patient care, our teams blend deep healthcare expertise with modern product development practices. Tempus products are owned and developed by small, autonomous teams made up of software engineers, designers, scientists, and product managers. These teams set goals, build the software, deploy the code, and contribute to a growing platform that is transforming healthcare.

**Detection Engineer:** The Security Operations Center is building the data foundation for threat detection—reliable pipelines that land security events in our SIEM platform. This is a software engineering role inside security: you will build in Python, integrate APIs, and test your work, with mentorship on SIEM usage, detection logic, and alert quality. Over time, you will help us grow **agentic SOC workflows** (AI-assisted triage, enrichment, and detection support) with human-in-the-loop guardrails—adding automation only when the data and evidence justify it, not on a hype-driven timeline.

Responsibilities:

• Build and maintain log ingestion pipelines that collect security events from internal and third-party sources and deliver them to our SIEM platform.

• Normalize and forward events using existing patterns for batching, sizing, and failure handling.

• Build tests and fix bugs using mocked APIs and team CI standards (lint, format, coverage).

• Operate pipelines reliably—monitor failures, tune ingestion windows and rate limits, and document configuration.

• Support detection engineering with guidance—validate that new data is queryable in the SIEM; assist with simple parser or field fixes; learn how detections map to adversary behavior.

• Help manage and improve our detection-as-code pipeline—versioned detection content in git, automated checks in CI, and review before changes reach production.

• Participate in code review.

Agentic SOC (incremental; human-in-the-loop):

• Build with agentic coding tools (e.g. Claude Code, Cursor) as part of daily development—direct, review, and test what you ship; do not rely on typing every line from scratch.

• Contribute incrementally to agentic workflows—enrichment scripts, structured handoffs into SOAR automations, and evaluation of AI-assisted summaries or drafts in non-production or human-reviewed paths before any autonomous response.

• Validate changes on historical data before production trust—rules, parsers, and automation earn approval through evidence, simulation or shadow mode, and defined rollback paths.

• Assist in building and maintaining SOAR automations (enrichment, triage steps, and documentation—with review before production changes).

Requirements:

• Comfortable building Python—APIs and JSON, basic error handling, and tests in a managed project (Poetry or similar).

• Ability to integrate systems via APIs—OAuth or API keys, retries, and handling partial failures.

• Testing discipline—unit tests, readable failures, and fixing regressions you introduce before merge.

• Git and collaborative development—small, reviewable changes with clear descriptions of risk and rollout.

• Temperament for long-horizon work—you can focus on incremental pipeline quality while understanding it enables agentic SOC capabilities over time, not instead of them.

• Strong problem-solving skills and curiosity about security operations; willingness to learn detection concepts with mentorship.

Bonus points for:

• Experience with scheduled jobs or Docker.

• Hands-on SIEM exposure from coursework, CTFs, labs, or internships (e.g. Splunk, Google SecOps, Microsoft Sentinel).

• Can navigate cloud primitives on GCP, Azure, or AWS (S3/GCS/Blob, Key Vault/Secret Manager/Secrets Manager, IAM roles and service principals).

• Experience with infrastructure as code (e.g. Terraform).

• Strong understanding of IAM principles in GCP (least privilege, service accounts, workload identity, and role bindings).

Chicago Base salary: $100,000-$140,000

The expected salary range above is applicable if the role is performed from Illinois and may vary for other locations (California, Colorado, New York). Actual salary may vary based on qualifications and experience. Tempus offers a full range of benefits, which may include incentive compensation, restricted stock units, medical and other benefits depending on the position.

We are an equal opportunity employer. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.