Staff DevSecOps Engineer

About The Position

Requirements

• 10+ years of experience in security engineering, DevSecOps, cloud security, or platform security roles, including significant time as a senior individual contributor.
• Deep, hands-on experience securing modern CI/CD pipelines, including production deployment of SAST, DAST, SCA, secrets, container, and IaC scanning.
• Strong cloud security expertise, with primary depth in Google Cloud Platform—or proven multi-cloud expertise and the ability to operate authoritatively in GCP.
• Expert-level Terraform skills and a track record of building secure-by-default IaC modules consumed by other engineers.
• Demonstrated experience standing up and operating a SIEM end-to-end—from log source design through detection engineering and alert tuning.
• Hands-on incident response leadership, including runbook authorship, on-call design, and serving as a senior responder during real incidents.
• Practical experience operating in environments governed by SOC 2, HIPAA, and ISO 27001, with a clear understanding of how engineering controls map to framework requirements.
• Strong programming or scripting skills (Python, Go, or similar) sufficient to build automation, integrations, and tooling—not just to configure off-the-shelf products.
• Excellent partnership skills and a developer-empathetic mindset; track record of making security the path of least resistance rather than a bottleneck.
• Strong affinity and practical skill for working with LLMs and AI agents as part of your own workflow—clear judgment on when and how to deploy them to move quickly, orchestrate work, and ship with confidence.
• US Citizen and eligible for US security clearance

Nice To Haves

• Hands-on experience implementing security architectures or controls for FedRAMP (Moderate or High), DoD RMF, HITRUST, or other heavily regulated frameworks.
• Active US security clearance (Secret, TS, or TS/SCI).
• Deep Kubernetes and container security expertise (admission control, runtime security, software supply chain security).
• Experience securing AI/ML workloads, including model supply chain integrity, prompt injection defenses, and agent execution sandboxing.
• Industry certifications such as Google Professional Cloud Security Engineer, AWS Security Specialty, OSCP, GIAC (GCSA, GCIH, GCIA), or CKS.
• Open source contributions to security tooling, detection content, or IaC modules.

Responsibilities

• Design, implement, and operate the shift-left security toolchain across Trase's CI/CD pipelines, which include but are not limited to SAST, DAST, SCA, secrets scanning, container image scanning, and IaC scanning.
• Define how findings are triaged, routed, and remediated; partner with engineering teams to keep developer experience high and friction low.
• Establish and enforce policy-as-code and pre-merge security gates calibrated to risk.
• Design and deploy Trase's production cloud security architecture, with a primary focus on Google Cloud Platform (GCP) and a clear path to multi-cloud as the business requires.
• Implement foundational controls including network segmentation, workload identity, secrets management, encryption (in transit and at rest), and least-privilege IAM using both cloud-native services and third-party applications or platforms.
• Stand up and operate cloud security posture management (CSPM) and cloud workload protection capabilities.
• Build, codify, and maintain the secure-by-default infrastructure modules in Terraform, consumed by every Trase engineer.
• Embed security controls directly into platform abstractions so that the secure path is the default path.
• Drive secure baselines for Kubernetes, container runtimes, and serverless workloads.
• Operate and fine-tune Trase's SIEM and security telemetry pipeline, designing log sources, detections, and alerting workflows from the ground up.
• Define detection-as-code practices and tune detections to balance signal and noise.
• Build dashboards and reporting that give the security team and leadership real-time visibility into the live posture of the environment.
• Enhance and lead aspects of Trase's technical security incident response capability, including runbooks, on-call rotation design, tabletop exercises, and post-incident reviews.
• Serve as a senior responder during security events, coordinating across stakeholder groups and the broader enterprise.
• Operate the end-to-end vulnerability management lifecycle across application, container, and cloud surface area.
• Facilitate remediation SLAs, partner with engineering to drive them, and report on progress to leadership.
• Partner closely with Engineering and the broader Security and Compliance team to translate framework requirements (e.g., SOC 2, HIPAA, ISO 27001, FedRAMP, NIST 800-53) into defensible, robust controls.
• Embed with Product and Engineering teams to ensure security is an integral part of how Trase builds, by design.
• Mentor junior Security and Compliance engineers and members of the Engineering team on secure coding, threat modeling, and cloud security best practices.
• Establish and propagate the patterns, runbooks, and reusable building blocks that allow Trase's security capabilities to scale with the company.

Benefits

• Career track opportunity with potential for rapid advancement with strong performance as the firm grows
• 100% employer paid, comprehensive health care including medical, dental, and vision for you and your family.
• Paid maternity and paternity for 14 weeks at employees' normal pay.
• Unlimited PTO, with management approval.
• Opportunities for professional development and continued learning.
• Optional 401K, FSA, and equity incentives available.
• Mental health benefits are available through Tara Mind .
• Cost effective GLP-1 solutions available through Crux .