Job Description

Life at UiPath

The people at UiPath believe in the transformative power of automation to change how the world works. We’re committed to creating category-leading enterprise software that unleashes that power.

To make that happen, we need people who are curious, self-propelled, generous, and genuine. People who love being part of a fast-moving, fast-thinking growth company. And people who care—about each other, about UiPath, and about our larger purpose.

Could that be you?

As a Security Operations Engineer 1, you are a developing practitioner focused on threat management and incident response. Working under the guidance of senior engineers, you triage and investigate security incidents, support containment and remediation, and contribute to the feedback loop with Threat Intelligence and Detection Engineering. You build depth on the SecOps stack day by day and bring a builder's mindset - looking for what can be automated, documented, or improved.

You will perform this work across two operating environments: our commercial SecOps environment (the day-to-day default) and our FedRAMP Moderate authorization boundary (a separately controlled, regulated environment supporting federal agency customers). The same craft applies in both, but the FedRAMP environment is segregated and carries stricter requirements on personnel access, tooling, data handling, documentation, and reporting timelines - you will learn those procedures and apply them with senior support when working inside that boundary.

CORE RESPONSIBILITIES - THREAT MANAGEMENT & INCIDENT RESPONSE

• Triage and investigate incidents across SIEM, EDR, network, identity, and cloud telemetry; support containment, eradication, and incident communications under senior guidance.

• Contribute to root cause analysis and close the loop with Threat Intelligence and Detection Engineering to produce durable detections, controls, or playbook updates.

• Participate in proactive threat hunting across enterprise and cloud telemetry under the direction of senior analysts.

• Help maintain IR playbooks and runbooks and participate in drills and tabletop exercises.

• Recommend and help tune the detection and response tooling stack (SIEM, EDR, SOAR, case management) in both environments

• Actively seek mentorship from senior IR engineers and grow toward independent ownership of incidents over time.

• FedRAMP - Follow strict procedures and requirements for but not limited to the authorized IR Plan, NIST 800-53 IR controls, CISA notifications, chain of custody, data classification handling, and event classification and reporting requirements.

CROSS-FUNCTIONAL COMPETENCIES

• Threat Intelligence - developing ability to consume threat intelligence and apply it to hunts, detections, and incident context; learning to map adversary behavior to MITRE ATT&CK.

• Detection Engineering - contributes detection content and tuning improvements across SIEM and EDR platforms; familiar with detection-as-code workflows and able to reduce false positives with guidance.

• Security Engineering - assists in automating routine SecOps tasks with a DevOps/IaC mindset and helps integrate security tooling via APIs, including contributions to SOAR playbooks.

KNOWLEDGE, SKILLS & CAPABILITIES

• Working knowledge of incident response frameworks (NIST 800-61, SANS PICERL) and a developing understanding of modern attacker TTPs, malware behavior, and MITRE ATT&CK.

• Familiarity with operating system fundamentals (Windows, Linux, macOS), networking protocols, identity systems, and at least one major cloud platform (AWS, Azure, or GCP) with preference of Azure.

• Awareness of malware analysis and digital forensics concepts.

• Analytical mindset - reads network, host, identity, and cloud logs, asks the right questions, and reaches sound conclusions under time pressure with senior support.

• Clear written and verbal communication; tailors messaging to technical and non-technical audiences and produces documentation suitable for review.

• Sound escalation judgment - recognizes when scope or severity exceeds current experience and engages senior support early; brings curiosity, critical thinking, and willingness to learn the differences between commercial and FedRAMP operating procedures.

• Foundational scripting in Python, PowerShell, Bash, or Node plus developing proficiency in Microsoft KQL or similar query analytics languages; comfortable in terminal-first workflows with utilities such as grep, jq, awk, sed, curl, and git.

• Comfortable using coding agents (Claude Code, Copilot, Cursor) and LLM-based tools to accelerate investigation and reporting - with the discipline to validate generated code, recognize hallucination risk, handle sensitive data carefully, and escalate rather than ship unreviewed output.

QUALIFICATIONS

Required

• Minimum 1 year of experience in a Security Operations role (SOC analyst, junior incident responder, detection engineer, or equivalent), internship, or relevant academic/lab work.

• Hands-on exposure to at least one major SIEM (Sentinel, Splunk, Chronicle, Elastic) and at least one EDR (Defender XDR, CrowdStrike, SentinelOne).

• Developing ability to write and run KQL queries (or willingness to ramp quickly).

• Practical experience using coding agents and/or LLM tooling, with judgment about when to validate or escalate.

• US citizen or US lawful permanent resident (green card holder).

• Able to work from our Bellevue, WA office a minimum of 3 days per week.

• Ability to successfully complete a background investigation appropriate to a FedRAMP Moderate environment.

• Familiarity with NIST SP 800-53 and NIST SP 800-61 concepts (or commitment to develop working knowledge within the first 90 days) to support work inside the FedRAMP boundary.

• Awareness of FedRAMP Moderate, authorization boundary concepts, and federal incident reporting expectations - or eagerness to learn them quickly.

Preferred

• Exposure to incidents in cloud environments (Azure / AWS / GCP) and SaaS platforms.

• Exposure to detection-as-code or SOAR-as-code workflows.

• Familiarity with digital forensics tooling (Velociraptor, KAPE, Volatility) or malware triage concepts.

• Entry-to-mid certifications such as Security+, CySA+, SC-200, AZ-500, GSEC, GCIH, or equivalent.

• Bachelor's degree in Computer Science, Information Security, or related field - or equivalent practical experience.

• Prior exposure to a FedRAMP, IL4/IL5, StateRAMP, CMMC, CJIS, or IRS Pub. 1075 environment in any capacity (intern, junior analyst, audit support).

• Exposure to Azure Government, AWS GovCloud (US), or Google Cloud Assured Workloads

• Awareness of 3PAO assessment activities, ConMon, POA&Ms, and SSPs.

• Active or recently active US government clearance (e.g., Public Trust, Secret) is a plus but not required.

#LI-MH1

Maybe you don’t tick all the boxes above—but still think you’d be great for the job? Go ahead, apply anyway. Please. Because we know that experience comes in all shapes and sizes—and passion can’t be learned.

Many of our roles allow for flexibility in when and where work gets done. Depending on the needs of the business and the role, the number of hybrid, office-based, and remote workers will vary from team to team. Applications are assessed on a rolling basis and there is no fixed deadline for this requisition. The application window may change depending on the volume of applications received or may close immediately if a qualified candidate is selected.

We value a range of diverse backgrounds, experiences and ideas. We pride ourselves on our diversity and inclusive workplace that provides equal opportunities to all persons regardless of age, race, color, religion, sex, sexual orientation, gender identity, and expression, national origin, disability, neurodiversity, military and/or veteran status, or any other protected classes. Additionally, UiPath provides reasonable accommodations for candidates on request and respects applicants' privacy rights. To review these and other legal disclosures, visit our privacy policy