Security Engineer, AWS Security Incident Response

AWS Security Incident Response is looking for a Security Engineer who investigates with urgency, communicates with clarity, and turns every investigation into an opportunity to make the service smarter. You will perform hands-on security response for customers, work alongside AI-powered investigation agents daily, and feed what you learn back into the automation systems that protect all customers.

The AWS Security Incident Response team provides 24/7 security response through a follow-the-sun operating model. The service combines automated triage workflows, AI-powered investigation agents, and human security analysts to respond to threats across customer AWS environments at massive scale. Our AI systems autonomously resolve the majority of routine investigations within minutes. Every engineer on the team is expected to be fluent in how these AI systems work, provide feedback that improves their accuracy, and identify opportunities to extend their capabilities.

This is not a traditional security operations role. You will investigate security incidents hands-on, but equally important is what happens after the investigation: documenting patterns, proposing detection rules, providing structured feedback to AI agents, and building the automation that prevents the same issue from requiring human investigation again. We treat every investigation as a confirmed security incident until the data proves otherwise.

This position requires that the candidate selected be eligible to obtain a US Government security clearance., Investigate and respond to security findings and customer-reported security events using AI-powered investigation tools and manual forensic techniques

• Perform CloudTrail forensics, log analysis, and threat intelligence correlation to determine the scope, impact, and root cause of security events in customer AWS environments
• Get on calls with customers during active incidents to walk them through what was compromised and the specific containment steps to execute immediately
• Work alongside AI investigation agents daily - review AI-generated conclusions, validate accuracy, and provide structured feedback that improves autonomous investigation quality
• Turn every investigation into a service improvement: document reusable indicators, attack patterns, and false positive signals that feed directly into the team's detection pipeline and AI training data
• Identify gaps in existing detection rules and auto-remediation playbooks based on patterns observed during investigations, and propose improvements to senior engineers
• Use AI-powered tools (including agentic AI assistants) to accelerate your own investigations, and share effective techniques with the team
• Coordinate with internal teams to mitigate customer security issues
• Participate in on-call rotations, including weekends

A day in the life You review the investigation queue, pick up findings from AI agents and automated triage, and investigate using CloudTrail forensics and threat intelligence. When you confirm a threat, you get on a call with the customer to guide containment. After each investigation, you extract patterns into the automation pipeline and provide structured feedback to AI agents so they improve. You propose detection rules for recurring false positives and review AI-generated summaries for accuracy.

About the team The AWS Security Incident Response team provides 24/7 threat monitoring, investigation, and response for customer AWS environments. The team is driving a strategic transformation - raising operational standards, building AI-powered investigation capabilities, and expanding coverage. We respond to customer requests within minutes. Zero queue tolerance is the operating standard. We value engineers who solve root causes over those who close tickets. Security engineers receive structured mentorship, regular coaching, and increasing ownership as they grow. Engineers on this team have grown into senior investigators, automation builders, and technical leads.

2+ years of web protocols, common security attacks, and remediation (non-internship) experience

• Bachelor's degree in Engineering, Computer Science, or a related field
• Experience with coding/scripting in one or more languages (e.g., Python, C, C++, Java, Ruby, or PowerShell)
• Experience (non-internship) in industry-based security vulnerabilities identification, attack patterns, and remediation techniques
• Knowledge of operating systems, hardware, storage, network, security, database administration and cloud infrastructure
• Knowledge of one or more of the following domains: access-control system and methodology, network security, application- and system-development security, security architecture and models, cryptography, and operations security

Preferred Qualifications

• Experience with AWS services or other cloud offerings
• GCIH (GIAC Certified Incident Handler) or GSEC (GIAC Security Essentials) or Security+

The base salary range for this position is listed below. Your Amazon package will include sign-on payments and restricted stock units (RSUs). Final compensation will be determined based on factors including experience, qualifications, and location. Amazon also offers comprehensive benefits including health insurance (medical, dental, vision, prescription, Basic Life & AD&D insurance and option for Supplemental life plans, EAP, Mental Health Support, Medical Advice Line, Flexible Spending Accounts, Adoption and Surrogacy Reimbursement coverage), 401(k) matching, paid time off, and parental leave. Learn more about our benefits at https://amazon.jobs/en/benefits.

USA, WA, Seattle - 136,000.00 - 184,000.00 USD annually