Apollo GraphQLRemote
Staff Security Operations Engineer
United States of America
Full Time
16 hours ago
$230,000 - $255,000 USD
H1B Sponsor Likely
Key skills
Application SecurityThreat ModelingSASTDASTDependency ManagementSecure SDLC PracticesDetection and ResponseCloud Security ControlsAWSGCPSecurity Tooling AutomationSIEMSOARSOC 2ISO 27001Incident ResponseTerraformKubernetesThreat HuntingDetection EngineeringGraphQL API SecuritySoftware Supply Chain SecurityAIApolloGraphQLAPI GatewaySDLCCI/CDLeadershipCustomer SuccessSalesOWASPCloud Security
About this role
Apollo GraphQL is a company that powers some of the largest GraphQL platforms in the world, aiming to change how software is built. They are seeking a Staff Security Operations Engineer to enhance their application security program, partner with engineering teams, and lead detection and response efforts to protect their products and infrastructure.
Responsibilities:
- Partner with engineering teams to conduct threat modeling and security reviews on new features and architecture changes
- Establish and evolve Apollo's application security program including SAST/DAST tooling, dependency scanning, and secure coding standards
- Drive security requirements into the SDLC, embedding security gates into CI/CD pipelines
- Identify and remediate vulnerabilities in Apollo's products and APIs, with a focus on reducing systemic risk rather than one-off fixes
- Act as a security advisor for product teams building customer-facing features, particularly those involving authentication, authorization, and data handling
- Advance Apollo’s detection and response strategy in partnership with engineering and IT leadership
- Implement and maintain adherence to SOC 2 and other cloud security frameworks
- Handle escalations from Sales and Customer Success
- Build and tune monitoring, logging, and alerting systems to improve visibility while reducing noise
- Drive automation of SecOps workflows to speed up investigation and response
- Guide secure adoption of AI across Apollo - from internal use by engineers to AI-powered product features
- Participate in our on-call rotation (we keep this lightweight and reasonable)
Requirements:
- 6+ years in security engineering, spanning both application security and security operations
- Strong foundation in AppSec: threat modeling, SAST/DAST, dependency management, secure SDLC practices
- Deep expertise with detection and response in cloud-native environments
- Experience building and automating security tooling (scripting/programming language, SIEM, SOAR, or AppSec tooling)
- Proven ability to partner with engineering teams to improve security posture with while minimizing the impact on delivery times
- Track record of influencing security culture across an engineering organization
- Strong knowledge of SOC 2, ISO 27001, or similar security frameworks
- Proven ability to lead or coordinate incident response across multiple teams
- Track record of influencing operational security culture and practices without direct authority
- Experienced in application security — familiar with OWASP, threat modeling, secure code review, and API security patterns
- Comfortable contributing to or reviewing code, and knows how to work with developers in ways that actually improve security culture (not just file findings)
- Has shipped developer-facing security tooling or guardrails — things engineers actually use
- Skilled at both cloud security controls (AWS, GCP) and application-layer security — understands the full stack from infrastructure up through the API and application layer
- Comfortable working directly with engineers to embed operational security practices into their workflows
- Strong communicator who can explain threats and mitigations clearly to both technical and non-technical audiences
- Excited about the intersection of AI and security, with ideas for how to safely harness AI while managing its risks
- Motivated by outcomes - not just solving incidents, but building resilient systems and reducing risk at scale
- Experience working with AI security - either in detection, incident response, or product security contexts
- Prior experience supporting enterprise customer audits or due diligence processes
- Familiarity with Terraform, Kubernetes, or other modern infrastructure stacks
- Hands-on experience with threat hunting and detection engineering
- Experience securing GraphQL APIs, federation, or API gateway patterns
- Familiarity with software supply chain security (SBOM, Sigstore, dependency auditing)
- Prior work on security champions programs or developer security education