Senior Security Engineer

The Position

The Impact

• Lead security testing for our web apps, APIs, cloud (AWS/OCI), Kubernetes, and on‑prem servers, and clearly document vulnerabilities you find.
• Build security into our CI/CD pipelines with DevOps, including code and app scanning and stronger secrets management.
• Work with bioinformatics to secure genomic data pipelines and protect PHI/PII in line with HIPAA requirements.
• Set up and run security monitoring, alerting, and incident response, with practical playbooks and runbooks the team can follow.
• Lead the technical work needed for HIPAA, SOC 2, and ISO 27001 readiness and future audits.
• Help design and improve logging and SIEM use so the team can spot and respond to threats faster.
• Translate security findings into clear, prioritized tasks that engineering and DevOps teams can execute.
• Partner with engineers, DevOps, and bioinformatics so security is built into how we design, build, and ship systems.
• Contribute to threat modeling and secure design discussions for new and existing services.
• Maintain clear, concise security documentation, including standards, guidelines, and incident procedures.
• Support vendor and third-party security assessments by reviewing findings and driving remediation with the team.
• Provide input into security aspects of our architecture and infrastructure decisions.
• Support security aspects of our performance tasks and assessments, including translating real-world attack methods into learnings for the team.
• Help raise security awareness across the company by sharing best practices with engineers and partner teams.
• Collaborate across time zones and functions to plan, prioritize, and communicate security work and trade‑offs.

Dominant and Recessive Traits

• 8+ years in security engineering, DevSecOps, or infrastructure security roles.
• Strong hands-on penetration testing and vulnerability discovery skills, using both manual methods and tools. OSCP, OSCE, or equivalent certifications are a plus; we value candidates with real-world offensive experience, not just institutional credentials.
• Deep experience securing AWS and OCI cloud and Kubernetes (RBAC, IAM, network policies, containers, secrets), as well as bare metal and on-premises server environments.
• Experience adding and tuning security tools in CI/CD (such as Semgrep, CodeQL, OWASP ZAP, Burp Suite).
• Comfortable with tools like Burp Suite, Metasploit or similar, OWASP ZAP, Semgrep or CodeQL, CloudTrail, Falco, Terraform, Docker, Git/GitHub, Cloudflare, and Google Workspace.
• Experience with SIEM or log aggregation and real‑time detection and monitoring.
• Familiarity with HIPAA, SOC 2, and how to protect PHI/PII in regulated or high‑sensitivity environments.
• Clear written and verbal communication, especially for explaining security issues and recommendations to technical teams.
• Ability to influence and collaborate with engineering, DevOps, and data teams without formal authority.
• Comfortable working independently in a remote, fast-moving startup with limited existing security processes.
• Experience with eCommerce and checkout security, including securing payment flows, cart and order APIs, and protecting against fraud, skimming attacks, and checkout abuse.
• Experience with vulnerability research, responsible disclosure, or red team operations is a strong plus.