Sr./Staff Security Engineer

What You'll Do

• Own threat modeling across our core platform APIs, risk decisioning and event-ingestion systems, and agentic AI products; harden multi-tenant isolation and data-handling across designs and PRs.
• Design, implement, and deploy authentication, authorization (user and API), and RBAC across our platform: own and propose new approaches as we scale
• Stand up our AppSec program from the ground up: SAST (Semgrep), SCA (Dependabot/Snyk), secret scanning, IaC scanning, and container scanning on Pulumi + EKS
• Build guardrails around LLM usage — prompt-injection defenses, output validation, and cost and abuse monitoring on Bedrock/Anthropic/OpenAI calls
• Drive security incident process, vulnerability triage, and the responsible-disclosure workflow
• Write SECURITY.md, maintain a threat registry, and champion secure-by-default patterns across the engineering org
• Partner with IT on shared areas — incident response across corporate and product, access reviews, and audit evidence collection
• Collaborate with product and engineering teams on feature design, embedding security early rather than gating at the end
• Keep us aligned with current security standards and trends (OWASP, MITRE ATT&CK, and emerging LLM/agent security guidance)

You Might Be a Fit If You Have

• Strong software engineering fundamentals — 5+ years building software, with the last 3+ focused on application or product security, ideally at a fintech or data-heavy SaaS company
• Strong hands-on Java and/or Python code review skills — you're comfortable in a PR, not just in a report
• Experience with SSO, SAML, OAuth 2.0, JWT, mTLS, and JOSE; multi-tenant authZ; PII handling/tokenization
• Working knowledge of AWS security primitives (IAM, KMS, Secrets Manager, VPC) and Kubernetes

Nice to Have

• Experience providing technical evidence and controls for SOC 2 / PCI / ISO 27001 audits
• Prior experience building or tuning SAST rules (Semgrep, CodeQL)
• OSCP, CISSP, or a meaningful bug-bounty track record