Software Engineer, DevSecOps

In This Role, You’ll:

• Build and maintain tooling, scripts, services, and automation that assess, enforce, and monitor security and compliance controls across AWS cloud environments, Kubernetes clusters, and CI/CD pipelines.
• Develop lightweight internal solutions (policy-as-code, custom scanners, CI/CD integrations) that make security and compliance automatic, auditable, and invisible to engineering.
• Embed security guardrails directly into Infrastructure-as-Code (Terraform), container orchestration, and deployment workflows for secure-by-default.
• Partner with infrastructure and platform engineering teams to harden cloud-native systems, implement access controls, encryption, logging/monitoring, and vulnerability management at scale.
• Improve visibility into security posture through automated reporting, dashboards, and real-time observability.
• Translate compliance requirements (SOC 2, FedRAMP, and related frameworks) into pragmatic, enforceable technical implementations.
• Reduce toil by automating security workflows, compliance validation, and remediation.
• Support incident response and post-incident improvements with better observability and tooling.
• Conduct security reviews of new features, services, and infrastructure changes.

The Skillset You’ll Bring:

• 4–7+ years of hands-on experience in security engineering, platform/DevSecOps, or cloud infrastructure roles (founding or early-stage security builder experience strongly preferred).
• Proven track record shipping production-grade security automation in cloud-native environments (AWS strongly preferred).
• Deep familiarity with implementing technical controls for SOC 2, FedRAMP, or similar frameworks in real production systems.
• Strong proficiency in scripting and automation (Python, Go, Bash, or similar) and a bias toward building custom tooling.
• Hands-on experience with Infrastructure as Code (Terraform or equivalent), containerized environments (Kubernetes), and CI/CD systems.
• Working knowledge across core security domains: access control, identity management, least-privilege enforcement, logging/monitoring/auditing, encryption/key management/secrets handling, vulnerability scanning, policy-as-code, continuous compliance, incident response, and change management.
• Ability to assess system state, identify gaps, and deliver pragmatic, high-impact solutions.
• Comfort operating as a founding security engineer in ambiguity, owning standards end-to-end.