Senior Security Engineer

About The Position

Requirements

• 6+ years of experience in security engineering, with demonstrated depth in cloud security (at least one of AWS or GCP required).
• Hands-on experience with IAM design, VPC architecture, security group management, and infrastructure hardening in production environments.
• Experience building or significantly improving vulnerability management programs, including tooling selection, integration, and triage workflows.
• Direct experience with SOC 2 and HIPAA compliance, including evidence collection, control implementation, and auditor interactions.
• Practical incident response experience: you have detected, investigated, and resolved real security incidents, not just written the plan.
• Experience securing containerized applications and CI/CD pipelines.
• Experience securing device or edge computing environments, including firmware updates, device authentication, and network security for IoT or embedded systems.
• Strong written and verbal communication skills. You can explain a risk finding to an engineer and a business stakeholder in the same day.
• Willing and excited to be in the office Tuesday through Thursday (NYC).

Nice To Haves

• Experience with Terraform or similar infrastructure-as-code tools for managing security controls declaratively.
• Familiarity with healthcare or other regulated industries where data protection has real consequences.
• Experience with supply chain security tooling (dependency scanning, SBOM generation, container image signing).
• Track record of building automated credential rotation and secret management pipelines.
• Experience operating security programs at a growth-stage startup where you had to prioritize ruthlessly and build from scratch.
• Relevant certifications (CISSP, AWS Security Specialty, GIAC) are a plus but not required if the experience is there.
• Comfortable reading and reviewing application code (Java preferred) to identify security issues such as overly broad token scoping, improper credential handling, and authentication/authorization flaws. Ability to contribute fixes directly is a plus.

Responsibilities

• Harden and continuously improve the security of Sage's cloud infrastructure across AWS and GCP, including IAM policies, VPC configurations, security groups, and network segmentation.
• Own vulnerability management end to end: implement scanning, triage findings, coordinate remediation with engineering teams, and track resolution. Drive penetration test findings to closure on defined timelines.
• Build and maintain incident response capabilities, including detection tooling, runbooks, and post-incident analysis.
• Drive Sage's SOC 2 and HIPAA compliance programs forward, producing evidence, closing control gaps, and coordinating with external auditors.
• Implement and operate supply chain security controls, including dependency scanning, credential leak monitoring, and secret rotation automation.
• Embed security into CI/CD pipelines and the software development lifecycle through automated checks, secure defaults, and developer education.
• Conduct security reviews of architecture decisions, new services, and third-party integrations. Own the vendor security assessment process for evaluating and tracking third-party risk.
• Establish and maintain key and credential rotation policies with clear ownership and audit trails.
• Implement automated compliance scanning across cloud accounts and projects with defined triage workflows.
• Validate that disaster recovery procedures maintain security controls through failover, including encryption, access control, and network segmentation.
• Partner with engineering, product, and executive stakeholders to communicate security risk clearly and advocate for proportionate investment.

Benefits

• Our benefits package for employees includes competitive base compensation along with stock options.
• We also provide fully-paid health and dental insurance coverage for all of our employees, along with other health benefits including vision insurance, membership to premium primary and urgent care, and online medical health providers.
• We also have a take as you need time off policy, in addition to 7 paid holidays and a company wide winter break during the holidays.