Lead Security Engineer

About The Position

Requirements

• AppSec-first mindset: Your core strength is application security. You think about auth flows, data isolation, injection vectors, and API boundaries instinctively. You’ve found and fixed real vulnerabilities in production systems.
• AI-native instincts: You have a practical thesis on using LLMs, agents, and automation to multiply the security team's impact. You're excited to use AI for tasks like automated code review triage, vulnerability prioritization, security questionnaire drafting, and pattern detection so the security function scales through leverage, not just headcount.
• Engineer who does security: You write code, read code, and think about security through an engineering lens. You’re comfortable contributing to production systems in Python and TypeScript when needed.
• Pragmatic risk thinker: You can look at a system design and quickly identify where the risks are, then prioritize based on actual impact rather than theoretical severity.
• Strong communicator: You translate security risks into business terms, influence engineering teams without direct authority, and present to enterprise customers with confidence.
• Comfortable with ambiguity: You’re owning a lot at a growth-stage company and will not have playbooks for everything. You’re energized by that.
• 8+ years in security with a primary background in application security, product security, or security-focused software engineering.
• Track record of building or significantly maturing a security program, ideally at a growth-stage SaaS company.
• Strong programming skills with demonstrated experience writing production software.
• Familiarity with AWS security services and patterns: IAM, VPC, CloudTrail, KMS. You can identify misconfigurations and security gaps, even if you’re not the one writing Terraform.
• Experience with threat modeling methodologies and secure design review processes.
• Experience managing external penetration tests and coordinating remediation.

Nice To Haves

• Familiarity with AI/LLM security considerations and emerging risks in agentic AI systems is a plus.
• Experience supporting compliance frameworks (SOC 2, ISO 27001, NIST, FedRAMP) from the technical controls side is a plus.

Responsibilities

• Application security and secure development
• Lead secure design reviews, threat modeling, and security-focused code reviews across the product and platform.
• Ensure security is ingrained into the SDLC so that the secure path is the easy path for engineers with secure-by-default libraries, patterns, and guardrails.
• Own authentication, authorization, API security, and data protection architecture for a multi-tenant SaaS platform.
• Architect and maintain security tooling integrated into CI/CD pipelines: static analysis, dependency scanning, secrets detection.
• AI security
• Evaluate and mitigate risks specific to Fieldguide's AI Agents — prompt injection, data leakage through LLM contexts, unauthorized tool use, and unintended agent behaviors.
• Partner with Agent and Platform teams to define security boundaries for agent execution: sandboxing, least-privilege tool access, and runtime policy enforcement.
• Contribute to Fieldguide's approach to responsible AI, ensuring customer data is protected throughout the AI pipeline from ingestion through inference.
• Vulnerability management
• Build and run Fieldguide’s vulnerability management program: scanning, triage, SLA-driven remediation tracking, and engineering coordination.
• Ensure visibility into vulnerability posture across application code, dependencies, and infrastructure.
• Manage external penetration testing engagements, bug bounty programs, and coordinate remediation of findings.
• Infrastructure security
• Partner with infrastructure engineering to review and improve cloud security across our AWS environment: IAM, network architecture, secrets management, and logging.
• You don’t need to be an AWS infrastructure expert, but you should be comfortable identifying risks and recommending improvements.
• Ensure detection and monitoring capabilities are in place for security-relevant events via SIEM.
• Security operations
• Establish runbooks, communication protocols, and post-incident review practices in coordination with a 24/7 MDR team.
• Collaborate with engineers on incident response processes and playbooks
• Cross-functional leadership and customer trust
• Partner with Compliance to ensure technical controls satisfy framework requirements (SOC 2, ISO 27001, ISO 42001, FedRAMP).
• Help GTM teams articulate Fieldguide’s security posture to enterprise customers.
• Start as an individual contributor, but as the security program matures, hire and mentor security engineers. Set the culture and standards for how security operates at Fieldguide.

Benefits

• Competitive compensation packages with meaningful ownership
• Flexible PTO
• 401k
• Wellness benefits
• Technology & Work from Home reimbursement
• Flexible work schedules