Security Engineer
Location: Worldwide (Remote-first / Hybrid optional)
Reports to: Principal Engineer, Platform
About CINC Systems
CINC Systems is the leading provider of accounting and management software for the community association management industry. Our platform powers tens of thousands of associations and millions of homes through secure, reliable, and increasingly intelligent software systems.
We are evolving our platform into an AI enabled ecosystem that combines modern SaaS architecture, operational workflows, communications, payments, analytics, and automation into a unified customer experience. This transformation requires engineers who are equally comfortable designing enterprise systems, working directly with business workflows, and leveraging AI to accelerate software development and product capabilities.
The systems we build are increasingly interconnected and AI enabled. Success in this environment requires more than coding ability alone. It requires judgment, systems thinking, customer understanding, and the ability to integrate modern AI capabilities into practical enterprise software.
Role Overview
We are looking for a highly technical Security Engineer with deep experience across application security, AWS cloud security, offensive security, secure SDLC, threat modeling and AI security. This role is suited for someone who can operate at both the engineering and adversarial levels by reviewing architecture, testing applications, identifying exploitable weaknesses, automating security workflows, securing AWS infrastructure and helping product teams build resilient systems.
The ideal candidate has hands-on experience with SAST, DAST, SCA, manual application security testing, AWS security reviews, red teaming, SIEM-driven detection workflows, infrastructure-as-code security and security automation. They should be comfortable working directly with engineering teams while also thinking like an attacker to uncover realistic abuse paths across applications, APIs, AWS services, CI/CD pipelines and AI-enabled systems.
Key Responsibilities
- Lead security reviews for web applications, APIs, microservices, AWS workloads, internal platforms and AI-enabled products.
- Perform advanced application security testing using SAST, DAST, SCA, manual code review, API testing and business logic testing.
- Identify vulnerabilities across authentication, authorization, session management, access control, injection, SSRF, deserialization, insecure file handling, data exposure and insecure API design.
- Conduct threat modeling for new products, critical features, AWS architectures, AI workflows, identity systems and high-risk data flows.
- Build and improve secure SDLC processes, including security requirements, code scanning, dependency review, CI/CD security gates and release risk assessments.
- Review infrastructure-as-code templates such as Terraform, CloudFormation, AWS CDK, Helm charts and Kubernetes manifests for security misconfigurations.
- Assess AWS environments for IAM weaknesses, exposed services, insecure networking, public S3 buckets, secrets leakage, logging gaps, encryption issues, workload risks and privilege escalation paths.
- Review AWS IAM policies, roles, trust relationships, permission boundaries, service control policies, identity federation and cross-account access patterns.
- Assess AWS services such as EC2, S3, Lambda, ECS, EKS, RDS, API Gateway, CloudFront, WAF, KMS, Secrets Manager, Systems Manager, ECR, VPC, Route 53 and IAM Identity Center.
- Conduct red team exercises, adversary simulations, attack path analysis and controlled exploitation to validate real-world risk.
- Develop proof-of-concept exploits, custom scripts and automation to reproduce vulnerabilities and demonstrate business impact.
- Evaluate containerized and Kubernetes environments, including EKS, for workload isolation, RBAC issues, exposed services, image risks, secrets handling and runtime security gaps.
- Assess CI/CD pipelines for insecure workflows, overprivileged tokens, secrets exposure, supply chain risks, artifact integrity and deployment abuse paths.
- Perform software composition analysis to identify vulnerable dependencies, license risks, malicious packages, transitive dependency exposure and supply chain weaknesses.
- Use SIEM and security telemetry to support investigations, validate attack paths, improve detections and measure control effectiveness.
- Build detection logic, threat hunting queries, dashboards and alerting workflows using SIEM platforms such as Splunk, Microsoft Sentinel, Elastic, Chronicle or AWS-native telemetry.
- Use AWS security services such as GuardDuty, Security Hub, CloudTrail, AWS Config, Inspector, Detective, Macie, IAM Access Analyzer, Security Lake and CloudWatch to improve visibility and detection coverage.
- Automate security workflows using Python, Bash, PowerShell, Go or similar scripting languages.
- Develop threat automation for vulnerability enrichment, alert triage, AWS posture checks, attack simulation, evidence collection and remediation tracking.
- Partner with DevOps and platform teams to improve secrets management, identity controls, network segmentation, logging, monitoring and secure deployment patterns.
- Assess AI and LLM-based systems for risks such as prompt injection, indirect prompt injection, data leakage, insecure tool use, excessive agency, jailbreaks, model abuse, retrieval poisoning and unsafe agent behavior.
- Review AI workloads using AWS services such as Amazon Bedrock, SageMaker, Lambda, API Gateway, S3, KMS and IAM for secure design, data protection and access control.
- Produce clear technical reports with evidence, exploitability, impact, likelihood, risk rating and actionable remediation guidance.
- Mentor engineers and security team members on secure coding, AWS security, offensive testing, threat modeling and AI security risks.
Required Qualifications
- Strong hands-on experience in application security, product security, AWS cloud security, offensive security or security engineering.
- Deep understanding of secure SDLC practices and experience embedding security into engineering workflows.
- Practical experience with SAST, DAST, SCA, manual penetration testing, code review and vulnerability validation.
- Strong knowledge of OWASP Top 10, OWASP API Security Top 10, OWASP ASVS, common CWE classes and real-world application attack techniques.
- Experience testing web applications, APIs, microservices, cloud services, containers and distributed systems.
- Strong understanding of authentication, authorization, identity federation, OAuth, OIDC, SAML, JWT, session security and access control design.
- Hands-on experience securing AWS environments in production.
- Strong knowledge of AWS IAM, VPC networking, encryption, KMS, Secrets Manager, S3 security, CloudTrail, GuardDuty, Security Hub, AWS Config and workload hardening.
- Experience reviewing infrastructure-as-code and identifying security issues in Terraform, CloudFormation, AWS CDK, Kubernetes YAML, Helm, Dockerfiles or similar technologies.
- Experience with CI/CD security across tools such as bitbucket pipelines, Jenkins, AWS CodePipeline, or similar platforms.
- Experience with red teaming, adversary emulation, penetration testing, exploit development, attack path mapping or offensive security assessments.
- Familiarity with SIEM platforms and the ability to write detection or hunting queries using SPL, KQL, SQL, Lucene, YARA, Sigma or similar languages.
- Strong scripting ability in Python, Bash, PowerShell, JavaScript or similar languages.
- Ability to automate repetitive security tasks and build internal tools that improve security testing, visibility and response.
- Familiarity with container and Kubernetes security, including ECS,EKS, RBAC, admission controls, image scanning, runtime controls, network policies and secrets handling.
- Ability to review code in languages such as Python, JavaScript, TypeScript, Java, Go, Kotlin, C# or similar.
- Strong written and verbal communication skills, with the ability to explain complex technical risks to engineering and leadership teams.
Preferred Qualifications
- Experience securing AI-enabled applications, LLM products, autonomous agents, RAG pipelines, AI plugins or ML infrastructure.
- Experience performing AI red teaming, prompt injection testing, jailbreak testing, model abuse testing or evaluation of agentic workflows.
- Experience with AWS Organizations, Control Tower, service control policies, multi-account security patterns and centralized logging.
- Experience with threat modeling methodologies such as STRIDE, PASTA, attack trees, abuse cases, data flow diagrams or architecture risk reviews.
- Experience with security automation, SOAR workflows, detection-as-code, policy-as-code or cloud security posture automation.
- Experience with tools such as Burp Suite Pro, OWASP ZAP, Semgrep, CodeQL, Checkmarx, Fortify, Veracode, Snyk, Dependabot, Trivy, Grype, Syft, Gitleaks, Checkov, tfsec, Prowler, ScoutSuite, Wiz, Prisma Cloud or similar.
- Experience building custom security tooling, scanners, exploit harnesses, detection rules, cloud guardrails or CI/CD security integrations.
- Experience with MITRE ATT&CK, MITRE ATLAS, CIS Benchmarks, AWS Well-Architected Security Pillar, NIST, ISO 27001, SOC 2, PCI DSS or similar frameworks.
- Experience with bug bounty programs, coordinated vulnerability disclosure, internal red team programs or external penetration testing engagements.
- Relevant certifications such as OSCP, OSWE, OSEP, GWAPT, AWS Certified Security Specialty, AWS Solutions Architect, CISSP or equivalent practical experience.
What Success Looks Like
- Security is embedded into design, development, testing and deployment workflows.
- SAST, DAST, SCA, secrets scanning, IaC scanning and AWS posture checks are implemented with practical tuning and low operational noise.
- High-risk application and AWS vulnerabilities are identified early, validated accurately and remediated with engineering partnership.
- Threat models are used to influence architecture decisions before systems reach production.
- Red team findings translate into improved controls, stronger detections and reduced attack paths.
- SIEM, AWS logs and security telemetry are used to validate security controls and detect realistic abuse scenarios.
- Security automation reduces manual review effort and accelerates vulnerability management, investigation and remediation.
- AI-enabled systems are reviewed for emerging threats before they are released or scaled.
- Engineering teams view security as a technical partner that helps them ship resilient products.