Senior Security Engineer, Internal Audit

About The Position

Requirements

• 5+ years of industry-based experience in security vulnerabilities identification, attack patterns, and remediation techniques (non-internship) experience
• Bachelor's degree in Computer Science or a related field
• 5+ years of (non-internship) scripting, programming, and security code review in common programming languages experience
• Knowledge of at least two of the following programming languages: Scala, Java, Python, C/C++, or Go
• Experience as a mentor, tech lead or leading an engineering team
• Experience using standard security assessment and penetration testing tools such as BurpSuite, Metasploit, and IDA Pro
• Experience working directly with security and engineering teams
• Experience in written and verbal communication with the ability to present complex technical information in a clear and concise manner to executives and non-technical leaders
• Demonstrated ability to construct reusable security frameworks, runbooks, or rubrics for complex problem domains

Nice To Haves

• Domain expertise in at least three of: security architecture and engineering, communication and network security, identity and access management (IAM), security assessment and testing, cryptography, software development security, and reverse engineering
• Vulnerability research experience with complex software and hardware components
• Cloud computing (AWS), virtualization, containerization architecture knowledge
• Experience identifying and driving centralized security controls at the organization or company level
• Experience with microservices, APIs, and distributed systems
• Strong data analysis abilities to derive insights from security signals
• Track record of mentoring or coaching security engineers
• Experience resolving root causes of systemic security problems across team boundaries
• Participation in bug bounty programs
• Experience building scalable, reusable security frameworks and tools
• Web service assessment experience with authentication controls, session management, access controls, logic flaws, injection vulnerabilities, request smuggling, cloud privilege escalation, DOS attacks
• Experience using boto3
• Experience leveraging AI/ML tools to enhance security testing, code analysis, or audit workflows
• Demonstrated ability to navigate ambiguity, make tough technical decisions, build consensus across teams, and drive long-term security initiatives with measurable risk reduction

Responsibilities

• Lead independent security audits of Amazon systems, services, and infrastructure to assess whether security controls are effective
• Identify security risks through penetration testing, design reviews, threat modeling, and code analysis
• Investigate security control failures — determine why preventive or corrective controls didn't work, and drive root-cause resolution across team boundaries
• Assess security controls around Amazon's adoption of AI/ML technologies — including model access, training data protection, output integrity, and integration into development workflows — to ensure they result in secure customer experiences
• Build reusable security frameworks, runbooks, and rubrics that enable the team to assess new problem domains repeatably and at scale
• Communicate security risk findings and recommendations clearly to technical teams and senior leadership
• Mentor and develop other security engineers; lead engagements requiring coordination across multiple engineers and teams

Benefits

• sign-on payments
• restricted stock units (RSUs)
• health insurance (medical, dental, vision, prescription, Basic Life & AD&D insurance and option for Supplemental life plans, EAP, Mental Health Support, Medical Advice Line, Flexible Spending Accounts, Adoption and Surrogacy Reimbursement coverage)
• 401(k) matching
• paid time off
• parental leave