Work closely with engineering and product teams as a trusted security partner, helping teams ship securely without unnecessary friction.
Design and implement secure-by-default patterns, SDLC guardrails, and secure primitives (“paved roads”) that reduce the need for manual security reviews.
Contribute to and review code in shared repositories that include customer-facing applications, APIs, infrastructure, and internal tooling.
Identify, prioritize, and drive remediation of security risks across application and cloud environments, with a strong emphasis on AWS and Kubernetes.
Help define practical security standards and explain the why behind them, building understanding, trust, and shared ownership with developers.
Improve automated guardrails and security review capabilities (e.g.policy-as-code, CI/CD controls, Kubernetes controls) to catch issues early while minimizing noise.
Take ownership of product-level security posture for Thoughtful systems while collaborating with the broader security team on shared tooling and strategy.
Requirements
5+ years of experience in product security, security engineering, or software engineering with a strong security focus.
Strong hands-on experience securing applications and cloud infrastructure in production environments.
Practical working knowledge of AWS and Kubernetes beyond surface-level familiarity.
Ability to read, write, and review production-quality code in at least one modern programming language.
Professional experience working directly with developers in shared codebases using Git-based workflows (e.g., authoring pull requests).
Familiarity with CI/CD security, policy-as-code, or automated code review tooling.
Comfort designing solutions — not just identifying problems — and implementing fixes yourself when needed.
Ability to communicate security tradeoffs clearly and pragmatically to technical stakeholders, with sound judgement regarding actual risk and business needs.
High ownership mindset and comfort operating in a fast-moving, evolving startup environment.