Principal / Staff Security Engineer - AI Platform & DevSecOps

About The Position

Requirements

• 10+ years in security engineering, with 3+ years owning a DevSecOps or platform-security program in a cloud-native environment (AWS strongly preferred)
• AppSec depth: shipped and operated SAST/DAST/SCA (e.g., Codacy, Semgrep, CodeQL, Snyk, Veracode, or equivalents) at production scale
• AI security: hands-on hardening of a production LLM deployment (AWS Bedrock, Azure OpenAI, Vertex AI, or equivalent) — IAM, VPC routing, guardrails, eval gating. RAG-demo experience alone does not meet the bar
• EDR/XDR + cloud security platform operator: production experience administering CrowdStrike Falcon (Insight/XDR, Cloud Security CNAPP/CSPM, Identity Protection, or Next-Gen SIEM), SentinelOne, Microsoft Defender XDR, or equivalent, including custom detection authoring
• Zero-trust access: experience standing up or operating a privileged-access broker (e.g., Teleport, StrongDM, BeyondTrust, CyberArk, HashiCorp Boundary)
• SBOM/AIBOM tooling: operated Interlynk, Anchore, Dependency-Track, or equivalent at production scale
• Vulnerability management: production experience with Trivy, Aqua, Wiz, Orca, Lacework, or equivalent across containers, IaC, and SCA
• IaC & policy-as-code: Terraform plus production policy-as-code (OPA/Rego, Checkov, Kyverno, tfsec, or equivalent) in a live pipeline
• Container & Kubernetes security: production experience with admission controllers (Kyverno, Gatekeeper), runtime visibility (Falco or equivalent), and pragmatic Kubernetes hardening (gVisor, Kata where it earns its keep)
• DLP experience: real-world sensitive-data discovery across SaaS or developer tooling, including AI-assisted environments
• Compliance fluency: has personally driven SOC 2 Type II or ISO 27001 controls to audit, and can read a control map without flinching.
• Bay Area based; able to work hybrid (3 days/week in office)

Nice To Haves

• Hands-on MCP work — design, hardening, or auth — even early-stage
• ISO 42001 implementation experience; ISO/IEC 42001 Lead Implementer or Lead Auditor certification, or comparable AI-governance leadership
• Familiarity with NIST AI RMF and the EU AI Act's high-risk system requirements
• Prompt-layer DLP and AI runtime guardrails (e.g., Nightfall, Lakera Guard, Cyberhaven, Harmonic Security, Protect AI, NVIDIA NeMo Guardrails)
• LLM eval-as-gate in CI (e.g., Promptfoo, Garak, DeepEval, Giskard) and AI red-teaming experience
• Modern PAM / zero-trust rollouts (Teleport, StrongDM) and SaaS posture management (e.g., AppOmni, Obsidian)
• Experience securing SaaS products sold into regulated sectors (utilities, energy, financial services, healthcare)
• Public signals: conference talks (fwd:cloudsec, DEF CON AI Village, BSides) or open-source contributions in CI/CD, MCP, or LLM-deployment security
• Leadership of incident response for a material security event
• Comfort working with remote, distributed engineering teams across US/India time zones

Responsibilities

• Operate and mature our AppSec toolchain across CI/CD — SAST, DAST, SCA, secrets scanning, and IaC policy-as-code. Deepen coverage and evaluate additional tooling where gaps are real
• Run threat modeling and secure-design reviews; champion shift-left so security is part of every PR, not a gate at the end
• Operate the AIBOM / SBOM toolchain; enforce risk-tiered dependency controls and extend SLSA practices to model artifacts
• Harden production GenAI deployments on AWS (managed model APIs, agentic / MCP services) — IAM, VPC routing, prompt-layer guardrails, output filtering, rate/cost controls
• Codify OWASP LLM Top 10 and MITRE ATLAS controls into the SDLC; introduce LLM eval-as-gate in CI
• Govern internal AI-assisted developer tooling — DLP for what egresses to external model providers, sensitive-data discovery in prompts, and acceptable-use telemetry
• Stand up controls for vibe-coded apps and shadow AI: discover, classify, gate with sane defaults, and bring under the SDLC
• Lead the company's path to ISO 27001 and ISO 42001 (AI Management System) certifications in 2027 — scope the management systems, run gap assessments, build the control sets, and steer the audit cycles
• Maintain our SOC 2 Type II posture; manage the evidence pipeline, control mappings, and external auditor relationships
• Maintain alignment with the NIST AI RMF and translate emerging AI regulation (EU AI Act, US state AI laws, utility-sector mandates) into concrete engineering requirements
• Operate our endpoint, cloud, identity, and SIEM platforms end-to-end. Own detection engineering, tuning, and integration with the rest of the stack
• Harden AWS posture across accounts (Organizations, SCPs, Control Tower); mature Kubernetes security (admission controllers, runtime visibility, pragmatic hardening)
• Stand up zero-trust privileged access — short-lived, audited sessions for production infra, databases, and Kubernetes
• Lead IT-Security: device posture, identity (SSO, MFA, SCIM), network segmentation, SaaS posture, and offboarding hygiene
• Build and tune detections in our SIEM; own the on-call rotation, runbooks, and IR retainer relationships
• Run tabletop exercises across Eng, Legal, and Exec; lead post-incident reviews with blameless write-ups
• Translate AI threat research — prompt injection, data poisoning, model inversion, agent hijacking — into detections and controls that ship with every release

Benefits

• Comprehensive Medical, Dental, and Vision Coverage: 100% coverage for employees and 80% for their spouses and children
• Health Reimbursement Account (HRA): 100% funded by AiDASH to cover medical deductibles
• 401(k) Plan: Begin contributing after three months of employment to prepare for your future. Currently, no company match is offered
• Parental Leave: Supportive parental leave with 16 weeks for primary caregivers and 4 weeks for secondary caregivers
• Generous Vacation Policy: Accrue 20 vacation days per year, plus enjoy an additional flex holiday to celebrate whatever feels most important to you!
• Winter Break: From December 25th through January 1st, we give everyone time off to recharge and enjoy time with family and friends!