Lead secure architecture reviews and threat modeling for new features, major changes, and sensitive workflows/integrations, translating outcomes into concrete mitigations teams can ship.
Build and evolve secure “paved road” components—standards, defaults, and reusable frameworks—so the secure path is the easiest path.
Integrate and tune automated controls in CI/CD to prevent vulnerabilities from reaching production.
Improve developer experience by making security tooling and guardrails easy to use, and serve as a trusted security partner by providing practical guidance so teams can ship secure features faster and reduce repeat issues.
Perform targeted code reviews and assessments on high-risk areas to proactively identify security issues.
Continuously improve the processes for intake, prioritization, resolution, and recurrence prevention of vulnerabilities. Coordinate external penetration tests and vulnerability disclosure submissions.
Partner with DevOps/platform teams to harden infrastructure and embed practical guardrails that reduce risk across cloud environments, IAM, Kubernetes, and deployment pipelines.
Improve dependency and third-party risk management through scalable workflows that reduce exposure and speed response.
Define lightweight, outcome-based metrics to focus effort on the highest-impact risk reductions.
Implement AI-assisted security workflows to improve early detection, reduce noise, and accelerate remediation, with human verification.
Support triage of infrequent security events impacting the product, and drive post-incident learnings into preventative controls.
Requirements
5+ years of experience in product security, application security, security engineering, or equivalent experience as a software engineer or architect with substantial security ownership.
Hands-on software development experience and the ability to read and write production code in one or more languages (e.g., Python, C#, Ruby, JavaScript/TypeScript).
Security certifications (e.g., OSCP, OSWE, cloud security certifications) are helpful but not required—demonstrated impact matters most.