Staff Security Engineer - Product Security

About The Position

Requirements

• 8+ years of experience designing, building, and operating security controls for large-scale production systems (application, cloud, and infrastructure security).
• Strong security engineering chops with evidence you can reduce risk in production systems (not just talk about it).
• Hands-on ability to write and ship code/tools in Python, Go, or similar (you’re expected to build, not just review).
• Practical experience securing microservice architectures and modern cloud stacks (containers/Kubernetes, IAM, CI/CD, secrets, logging).
• Comfort operating as a technical leader without authority: you can persuade, teach, and unblock - not police.
• A skeptical mindset: you naturally ask “what’s the failure mode?” and “how will this be abused?” before shipping changes.
• Familiarity with the security failure modes of LLM-enabled systems (or the willingness to learn fast), including risks called out by OWASP such as prompt injection, insecure output handling, insecure plugin design, and excessive agency.

Nice To Haves

• Experience spanning multiple engineering domains (web app + cloud infra + embedded/robotics/autonomy).
• Experience building developer-friendly security platforms (internal libraries, paved roads, CI integrations, Public Key Infrastructure).
• Track record of being an effective security “evangelist” (i.e., enabling good behavior with good tools and defaults, not fear).
• Experience designing guardrails for internal AI/agent usage (policy + technical controls + auditing), especially in environments where safety and reliability are non-negotiable.
• Deep understanding of distributed systems and how failures actually happen (partial outages, weird retries, cascading dependencies, misconfigurations, permissions drift).

Responsibilities

• Own security outcomes for critical parts of Zipline’s application and cloud ecosystem (not by writing policy docs that no one reads, but by shipping controls and enabling teams).
• Partner with engineering teams on secure architecture, threat modeling, and design reviews for services that must be correct, reliable, and defensible under real-world operational pressure.
• Help us build and scale a pragmatic secure SDLC – CI/CD hardening, dependency/supply-chain controls, secrets management, and code review patterns that don’t slow teams down.
• Improve cloud security posture end-to-end: IAM and least privilege, network/service-to-service trust, key management, logging/telemetry, runtime detection, and incident-ready auditability.
• Drive vulnerability management that actually closes risk: triage, exploitability analysis, remediation partnerships, and verification.
• Help build and exercise incident response: playbooks, tabletop exercises, logging requirements, and “know it happened / know what changed” operational discipline.
• Support data classification and access control models aligned to how Zipline operates (including partner/customer interfaces and global operations).
• Support external penetration tests and turn results into durable improvements, not whack‑a‑mole patches.
• Contribute to security compliance efforts (e.g., SOC 2 / ISO 27001) in a way that strengthens engineering
• Secure AI-assisted and agentic engineering workflows (this is explicitly part of the job):
• define safe patterns for copilots/LLM tools used in development and ops
• implement guardrails for sensitive data exposure and output handling
• prevent “agentic overreach” (over‑privileged tools, unsafe tool-calling, silent action-taking)
• build monitoring/auditing around AI tool use where it matters