Staff Security Engineer

About The Position

Requirements

• 8+ years of security engineering experience, with depth in application security and a track record of improving security posture on production platforms at scale.
• Strong expertise in authentication and authorization systems (OAuth 2.0, OIDC, SAML, JWT) and the nuances of securing both user-facing sessions and machine-to-machine flows, including AI agent authentication patterns.
• Hands-on experience building or owning SAST/DAST programs and embedding security testing into CI/CD pipelines; familiarity with tools like Semgrep, Snyk, Burp Suite, or equivalent.
• Working knowledge of CCPA (and ideally GDPR) compliance requirements as they apply to a SaaS platform handling personal financial data, including data mapping, subject rights workflows, and audit trails.
• Experience collaborating with Legal and Privacy teams to translate regulatory requirements into concrete engineering controls, not just documentation.
• Comfort operating as a senior individual contributor who influences platform direction without requiring a management chain to get things done — you write RFCs, lead design reviews, and bring engineers along through conviction and clarity.
• Product empathy: the ability to hold security rigor and member experience in the same frame, and to make the right tradeoffs with both in mind.

Nice To Haves

• Familiarity with AI-assisted development workflows and an interest in the security implications of agent-based systems is a strong plus.

Responsibilities

• Own the end-to-end authentication and authorization architecture across Collective's member platform, including session management, role-based access control, and the emerging patterns needed to secure agent-based workflows and service-to-service communication.
• Drive CCPA compliance across the platform, partnering with Legal and Engineering to map data flows, implement required access and deletion controls, and establish ongoing audit and reporting mechanisms.
• Design and maintain Collective's static and dynamic application security testing (SAST/DAST) frameworks, integrating them into CI/CD pipelines so security feedback is fast, automated, and actionable for product teams.
• Lead threat modeling for new features and platform changes, collaborating with product engineers early in the design process to identify and address risk before it reaches production.
• Define and maintain security standards, policies, and runbooks that give engineering teams clear guardrails without slowing down delivery.
• Respond to and lead post-incident security reviews, driving root-cause analysis and translating findings into durable platform improvements.
• Evaluate and integrate third-party security tooling, staying current on the threat landscape relevant to fintech platforms handling sensitive financial and tax data.

Benefits

• Hybrid Work Model: Based in San Francisco with a balance of in-office and remote flexibility.
• Fresh Lunch: Provided on in-office days.
• Commuter Support: $150 monthly reimbursement for transit expenses.
• Health & Wellness: $200 quarterly reimbursement to support your well-being.
• Time Off: Flexible PTO plus 14 company holidays.
• Comprehensive Coverage: 100% medical, dental, and vision for employees; 75% coverage for dependents.
• Parental Leave: 16 weeks fully paid.
• Retirement & Ownership: 401k plan plus an equity package.
• Team Connection: Quarterly virtual events and an annual in-person summit.