Principal Product Security Engineer

Hard Rock Digitalβ€’United States, FL
β€’Hybrid

About The Position

Hard Rock Digital is building the best online sportsbook, casino, and social gaming company in the world. We are seeking a Principal Product Security Engineer to take ownership of the security of Hard Rock Bet, from initial code development through to production. This role involves designing and building secure software, identifying, prioritizing, and resolving vulnerabilities. The position offers full-lifecycle ownership with significant autonomy and accountability for outcomes. The successful candidate will report directly to the VP Security / CISO and will be part of a 16-person security organization. This is a critical role in a highly regulated and targeted business, directly protecting player data, real-money transactions, and wagering integrity.

Requirements

  • 10+ years in application or product security, or equivalent practical experience.
  • Deep expertise across the AppSec toolchain: SAST, SCA, and secure code review.
  • Strong command of the vulnerability management lifecycle: triage, prioritization, remediation tracking, metrics.
  • Hands-on threat modeling and secure-design partnership with engineering teams.
  • Working knowledge of a modern programming language and how real applications are built and deployed.
  • Experience with CI/CD pipelines and cloud-native application security (products run primarily on AWS).
  • Excellent communication skills, with the ability to translate findings into clear, prioritized asks.
  • Fluency with AI, with daily hands-on experience applying AI to security or engineering work.

Nice To Haves

  • Experience in a regulated industry (gaming, financial services, healthcare), especially payments/PCI DSS or gaming standards (GLI-19, GLI-33).
  • Experience running or maturing a bug-bounty or responsible-disclosure program.
  • DAST or API security testing experience.
  • Relevant certifications (e.g., OSCP, GWAPT, CSSLP, CISSP).

Responsibilities

  • Embed automated security checks across cloud (GitHub Actions) and on-prem product pipelines, utilizing tools like GitHub Advanced Security (SAST/SCA) and Wiz Code for application, dependency, and container scanning.
  • Define secure-by-default patterns, guardrails, and standards for secure coding, code review, and dependency hygiene to enable teams to ship quickly and safely.
  • Serve as the application authority for the Zero Trust program, aligning with NIST SP 800-207 and the CISA Zero Trust Maturity Model (Applications & Workloads pillar).
  • Partner with product and engineering teams on security reviews for new features and payment integrations, conducting threat modeling (e.g., STRIDE) early in the design phase and translating outputs into concrete, prioritized work.
  • Own the product and application vulnerability lifecycle, managing a unified program for code, dependency, container, pen-test, and bug-bounty findings from discovery to remediation.
  • Prioritize vulnerabilities based on real-world risk and drive remediation against risk-based SLAs, managing the program and escalation paths to reduce remediation time.
  • Report program health using actionable metrics and provide evidence for compliance obligations (PCI DSS, GLI, ISO 27001, SOC 2).
  • Defend applications and APIs against OWASP Top 10 threats and API abuse, partnering on payment security with payment gateways and collaborating with Cloud & Network Security on bot and abuse resilience.
  • Own the application security of player-facing account flows, including registration, authentication, session management, and recovery, in partnership with the Principal Identity Engineer and SecOps/Fraud teams.
  • Coordinate penetration testing with external partners and drive findings to closure.
  • Mature the existing coordinated-disclosure program into a full bug-bounty capability.

Benefits

  • Competitive pay and benefits
  • Flexible vacation allowance
  • A hybrid / remote working environment
  • Startup culture backed by a secure, global brand
Β© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service