Software Engineer II - Entity Intelligence

<h2>About the Role</h2> <p>Enterprises of all sizes trust Abnormal's AI-native security products to stop cybercrime and protect critical communications, identities, and infrastructure in the cloud. Our products are <strong>data- and systems-intensive</strong>, operating at high scale and low latency across multiple clouds and regions.</p> <p>As a <strong>Software Engineer II on the Entity Intelligence Team</strong>, you are a highly capable detection feature owner: you take a detection problem, come up with an idea, design a technical approach, and drive it end-to-end, from design and implementation through launch, operation, and continuous improvement. You will work with a world-class group of engineers, product managers, and data scientists to build and operate detection that is <strong>reliable, scalable, and AI-native by default</strong>.</p> <p>This role focuses on <strong>impersonation detection</strong>, including brand, lookalike-domain, VIP and employee impersonation. It is ideal for an engineer who has already shipped meaningful production systems, wants more ownership and impact, and is excited to use AI to build detection that was not possible before.</p> <h2>About the Team</h2> <p>The Entity Intelligence Team (EIT) is an attack-detection team inside Abnormal's Detection org. We own several of the highest-visibility detection surfaces at the company, spanning attachment-based attacks, fraud, and impersonation. We work the way an analyst would: we study the attacks that get through, understand the underlying pattern, and translate it into system-level detection enhancements that generalize beyond the individual attack.</p> <p>We are also one of the most AI-forward teams at Abnormal. We build and operate LLM-based detection agents and treat internal AI tooling as a first-class deliverable. Every engineer here writes detection logic and builds AI agents. Impersonation is one of the most damaging and visible classes of attack we defend against, where even simple attacks that slip through erode customer trust, so this is a surface we hold to a very high bar.</p> <h2>What You'll Do</h2> <ul> <li><strong>Design, build, and operate detection</strong> that is core to Abnormal's products, from initial design through rollout, monitoring, and ongoing maintenance.</li> <li><strong>Own detection projects end-to-end, including those that begin with a degree of ambiguity:</strong> scope loosely defined problems, identify risks, define milestones, and deliver reliably.</li> <li><strong>Analyze attacks that get through.</strong> Pull and study missed-attack data, read the messages the way an attacker and an analyst would, identify the underlying pattern, and translate it into detection enhancements or entirely new detection systems.</li> <li><strong>Write and tune detection logic</strong> using scored signals and attributes, add new signals across the pipeline, and drive changes to launch with a strong focus on minimizing false positives.</li> <li><strong>Build and evaluate LLM-based detection agents,</strong> and measure precision and recall rigorously with our evaluation tooling.</li> <li><strong>Surface your detections as reusable intelligence</strong> that other products and teams across the platform can consume.</li> <li><strong>Participate in the on-call rotation</strong> for your detection surfaces, debug and resolve customer escalations, and feed learnings back into design, observability, and runbooks across regions.</li> <li><strong>Leverage AI as a core part of your development loop</strong> for code, tests, data analysis, experiments, and documentation, while maintaining strong engineering judgment and validation practices.</li> <li><strong>Contribute to team health and culture</strong> by documenting heavily, sharing learnings, and giving thoughtful feedback in code and design reviews.</li> </ul> <h2>Must Haves</h2> <ul> <li><strong>3+ years of professional software engineering experience</strong>, with a track record of shipping and operating production systems.</li> <li>Strong <strong>software engineering fundamentals:</strong> data structures, algorithms, system design basics, testing, debugging, and clean, maintainable code.</li> <li>Strong <strong>Python</strong> proficiency and comfort learning new languages and frameworks as needed.</li> <li>Solid <strong>data-analysis instincts.</strong> You are comfortable with SQL and reasoning over large datasets to find signals in noise.</li> <li>A <strong>detection or adversarial mindset.</strong> You enjoy thinking like an attacker, reading real attack samples, and asking, "How would I get past this?"</li> <li>Genuine fluency with <strong>AI-native development.</strong> You already use AI coding agents in your daily work and are excited to build <strong>LLM-powered</strong> detection, not just consume AI tools.</li> <li>Demonstrated ability to <strong>own projects that carry some initial ambiguity:</strong> clarify and scope loosely defined requirements, make tradeoffs explicit, deliver on time, and communicate status clearly.</li> <li><strong>Excellent written and verbal communication</strong>, especially in remote, distributed teams. We make decisions in writing.</li> <li>A strong <strong>growth mindset and sense of ownership.</strong></li> </ul> <h2>Nice to Have Skills</h2> <ul> <li>Experience with <strong>distributed systems</strong>, high-throughput pipelines, or large-scale data stores (e.g., PostgreSQL, DynamoDB, Redis, RocksDB, Kafka, Spark, OpenSearch/Elasticsearch).</li> <li>Background in <strong>security, threat detection, anti-abuse, fraud detection, or trust and safety</strong>, particularly systems processing high volumes of email or communication data.</li> <li>Experience with <strong>ML or LLM evaluation:</strong> precision/recall tradeoffs, eval harnesses, prompt iteration.</li> <li>Familiarity with <strong>domain and DNS concepts</strong> (such as typosquatting and homoglyphs) or with <strong>identity and impersonation signals</strong>.</li> <li>Experience with <strong>large-scale data tooling</strong> (e.g., Databricks, Spark, Airflow) and distributed pipelines.</li> <li>Experience with <strong>containerization and orchestration</strong> (Docker, Kubernetes) and infrastructure-as-code tooling.</li> <li>Familiarity with <strong>modern frontend frameworks</strong> (e.g., React) for full-stack roles, or with <strong>ML/ML Ops</strong> for Detection/MLE-focused roles.</li> <li>Prior experience in a <strong>fast-paced, high-growth startup</strong> environment where you’ve had to balance speed, quality, and ambiguity.</li> </ul> <h2>Why You'll Love It Here</h2> <ul> <li>You'll <strong>solve hard, meaningful problems</strong> at the intersection of AI, security, and large-scale detection, where your work maps directly to attacks caught and customers protected.</li> <li>You'll work with <strong>smart, kind, and ambitious teammates</strong> who care deeply about detection craft, learning, and helping each other grow.</li> <li>You'll get <strong>real ownership and autonomy</strong> over an important detection surface, not a ticket queue, with clear opportunities to grow toward Senior and Staff roles.</li> <li>You'll be part of an <strong>AI-native R&amp;D organization</strong> with strong investment in tools, workflows, and training to help engineers use AI to move faster while raising the quality bar.</li> </ul> <p><br>&nbsp;</p> <p>#LI-AD2</p><div class="content-conclusion"><p><br>Abnormal AI is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, protected veteran status or other characteristics protected by law. For our EEO policy statement please&nbsp;<a href="https://abnormal.ai/aap-eeoc-statement" target="_blank"><span style="text-decoration: underline;"><em>click here</em></span></a>. If you would like more information on your EEO rights under the law, please&nbsp;<em><span style="text-decoration: underline;"><a href="https://abnormal.ai/eeoc-poster" target="_blank">click here</a></span></em>.</p></div>