Principal Product Security Engineer

Hard Rock DigitalUnited States, FL
Hybrid

About The Position

We're looking for a Principal Product Security Engineer to own the security of Hard Rock Bet — our sportsbook and casino — from the first line of code to production: how we design and build secure software, and how we find, prioritize, and close vulnerabilities once they exist. Full-lifecycle ownership, not a narrow slice of the pipeline — real autonomy, real accountability for outcomes. You'll be one of three Principal Engineers — Product Security, Identity, and Cloud & Network Security — hired as direct reports to our VP Security / CISO, inside a 16-person security organization. It's a highly regulated, highly targeted business — player data, real-money transactions, wagering integrity — your work directly protects players and our license to operate. If you like owning a problem end to end and making the secure path the fast path to production, this role is built for you.

Requirements

  • 10+ years in application or product security — or equivalent practical experience
  • Deep expertise across the AppSec toolchain: SAST, SCA, and secure code review
  • Strong command of the vulnerability management lifecycle: triage, prioritization, remediation tracking, metrics
  • Hands-on threat modeling and secure-design partnership with engineering teams
  • Working knowledge of a modern programming language and how real applications are built and deployed
  • Experience with CI/CD pipelines and cloud-native application security (our products run primarily on AWS)
  • Excellent communication — you turn a finding into a clear, prioritized ask
  • Fluency with AI — you lead with it, reaching for AI tools daily to work faster and sharper; hands-on experience applying AI to security or engineering work is a must

Nice To Haves

  • Experience in a regulated industry (gaming, financial services, healthcare) — especially payments/PCI DSS or gaming standards (GLI-19, GLI-33)
  • Experience running or maturing a bug-bounty or responsible-disclosure program
  • DAST or API security testing experience — you'll help decide where it fits our stack
  • Relevant certifications (e.g., OSCP, GWAPT, CSSLP, CISSP)

Responsibilities

  • Embed automated checks across our cloud (GitHub Actions) and on-prem product pipelines — GitHub Advanced Security (SAST/SCA) and Wiz Code for application, dependency, and container scanning
  • Define secure-by-default patterns, paved-road guardrails, and standards for secure coding, code review, and dependency hygiene — so teams ship quickly and safely
  • Serve as the application authority for our Zero Trust program, aligned to NIST SP 800-207 and the CISA Zero Trust Maturity Model (Applications & Workloads pillar)
  • Partner with product and engineering on security reviews for new features and payment integrations — running threat modeling (e.g., STRIDE) early in design and turning output into concrete, prioritized work
  • Own the product and application vulnerability lifecycle — one program spanning code, dependency, container, pen-test, and bug-bounty findings, from discovery through remediation
  • Prioritize by real-world risk and drive remediation against risk-based SLAs; engineering owns the fixes, you own the program and the escalation paths that shrink time to remediate
  • Report program health with metrics leadership can act on, and provide evidence for compliance obligations (PCI DSS, GLI, ISO 27001, SOC 2)
  • Defend our applications and APIs against the OWASP Top 10 and API abuse, partner on payment security across our payment gateways, and team with our Principal Cloud & Network Security Engineer — who owns our Cloudflare edge defenses (WAF, Bot Management) — on bot and abuse resilience
  • Own the application security of player-facing account flows — registration, authentication, session management, recovery — partnering with our Principal Identity Engineer on CIAM architecture and with SecOps and Fraud on account-takeover resilience
  • Coordinate penetration testing with external partners and drive findings to closure
  • Mature our existing coordinated-disclosure program into a full bug-bounty capability

Benefits

  • Competitive pay and benefits
  • Flexible vacation allowance
  • A hybrid / remote working environment
  • Startup culture backed by a secure, global brand
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service