Senior Security Engineer (Hybrid or Remote)

Vivid

3d•Hybrid

About The Position

We are looking for a Senior Security Engineer to lead security governance, compliance, and assurance work in our fully cloud-native AWS environment. You will work as part of our security team, owning a broad scope: running security reviews and approvals for new initiatives, leading access reviews, designing our vulnerability and incident response frameworks, driving PCI DSS, DORA, and CSSF audits, and managing external penetration testing programs. We are an EMI-licensed fintech, use AI heavily, and we are growing fast. We need someone who can keep our security in good shape for regulators and auditors, explain it clearly to leadership, and ship practical solutions instead of paperwork.

Requirements

5+ years in security engineering or GRC, with time in a regulated environment.
Track record of running security reviews on real initiatives and explaining security clearly to engineers, execs, and auditors.
Experience designing and running security programs end-to-end – vulnerability management, access governance, or external testing (pentests, TLPT, ASV scans, bug bounty) – and driving findings to closure.
Hands-on support for at least two of PCI DSS, DORA, CSSF, ISO 27001, or SOC 2, including direct work with external auditors.
Working knowledge of AWS and Kubernetes – enough to read IaC, validate findings, and push back on weak fixes.
Comfortable scripting and automating to cut manual GRC work.
Strong written and spoken English.

Nice To Haves

Experience building security automation or internal tooling that reduces manual effort – for vulnerability management, access reviews, or incident response.
Experience in a fintech, payments, or EMI-licensed company

Responsibilities

Review new products, features, architectural changes, vendors, and AI systems early in design – give a clear verdict on what's safe to ship, what must be fixed first, and what we accept.
Own access recertification end-to-end (scope, automation, evidence, audit readiness) and make sure joiner/mover/leaver, privileged access, and SoD controls actually work across AWS, Kubernetes, SaaS, and internal tools.
Run the remediation process end-to-end: severity model, SLAs, exceptions, ownership routing, escalation, and leadership reporting. Turn output from SAST, SCA, container, cloud, and AI scanners into prioritized work with readable dashboards.
Design the IR and containment framework (escalation paths, isolation triggers, decision authority, documentation) and define logging standards – what's captured, retention, protection, reporting – so the security team and auditors can rely on it.
Plan and run external testing across apps, AWS, Kubernetes, and AI systems: pentests, TLPT (DORA), ASV scans (PCI DSS), and bug bounty. Drive findings to closure and feed recurring issues back into preventive controls.
Lead security workstreams across audits: scoping, evidence, walkthroughs, findings response, and remediation tracking.
Maintain a living mapping of regulatory requirements to internal controls and evidence, and support Legal, Risk, and Compliance on ICT and third-party oversight – they own risk, you bring security context.