Senior/Staff Security Engineer

Company Overview

We are a well-funded Series A startup operating in the Software as a Service (SaaS) domain, focused on developing a Governance, Risk, and Compliance (GRC) platform that helps enterprises automate compliance, manage risk, and scale security programs. Our culture fosters innovation and collaboration, with a strong emphasis on leveraging technology to provide cutting-edge solutions.

Job Summary

The Senior/Staff Security Engineer is primarily an engineering role, with a secondary focus on security. This position is responsible for owning product security across the Governance, Risk Management, and Compliance (GRC) platform, specifically securing AI agents that interact with enterprise compliance data. The role emphasizes high autonomy and ownership, requiring the candidate to build and define security practices and programs within the organization.

Responsibilities

• Product & Application Security: Lead threat modeling for new features, particularly focusing on API design and data handling concerning AI agent workflows and multi-tenant isolation boundaries.
• Security Code Reviews: Conduct security code reviews as part of the engineering lifecycle, integrating security as a core aspect of the development process.
• Security Tooling: Build and maintain security tooling integrated into Continuous Integration/Continuous Deployment (CI/CD) processes including Static Application Security Testing (SAST), Software Composition Analysis (SCA), secret scanning, and vulnerability prioritization.
• Vulnerability Management: Own the vulnerability management program end-to-end, including intake, triage, prioritization, service level agreements (SLAs), and tracking through remediation.
• Bug Bounty Program: Run the bug bounty program encompassing scoping, validation, root cause analysis, bounty awards, and building hacker community relationships.
• AI & Agentic System Security: Define security architecture for AI agents, including permission models, sandboxing, output validation, and data boundary enforcement.
• Developer Security Culture: Build security standards and design patterns for engineering teams to facilitate independent security decisions while partnering with the GRC team to translate security work into audit evidence.

Qualifications

• Experience: Minimum of 7 years in application security, product security, or software engineering with a strong emphasis on security.
• Technical Skills: Strong proficiency in Python (or similar languages) and experience with cloud security (IAM, storage policy, secrets management, network controls, preferably AWS).
• Threat Modeling: Experience applying threat modeling methodologies such as STRIDE or PASTA to production systems with genuine engineering input.
• AI/ML Security: Familiarity with AI/ML security risks and practical experience with testing large language model (LLM) integrations or agentic systems.
• CI/CD Integration: Proven experience integrating security tools (DAST, SAST, SCA) into CI/CD pipelines and making their output actionable for product engineers.
• Development Mindset: A demonstrated ability to think like an attacker while building secure systems as an engineer.

Preferred Skills

• Experience with bug bounty management or hunting.
• Familiarity with compliance frameworks (SOC 2, ISO 27001) from an engineering perspective.
• Contribution to public security work through blogs, talks, Write-ups, or open-source tooling demonstrating independent security thinking.

Experience

• 7+ years of relevant experience in application or product security with a deep focus on secure software engineering practices.