Staff Software Engineer
About The Position
Founded in 2017, Obsidian Security was created to close a critical gap: securing the SaaS applications where modern business happens—platforms like Microsoft 365, Salesforce, and hundreds more. Backed by top investors including Greylock, Norwest Venture Partners, and IVP, we’ve built a complete SaaS security platform to reduce risk, detect and respond to threats, and prevent breaches at the source. Our team includes leaders who helped define the categories of endpoint and identity security at CrowdStrike, Okta, Cylance, and Carbon Black. Now, we’re transforming how SaaS is secured—in the era of agentic AI. Today, Obsidian is trusted by global enterprises like Snowflake, T-Mobile, and Pure Storage. We protect more than 200 organizations across North America, Europe, the Middle East, Southeast Asia, Australia, and New Zealand—including many of the world’s largest Fortune 1000 and Global 2000 companies. With strong global momentum, a growing partner ecosystem including SentinelOne, Databricks, and Google Cloud, and a major fundraise on the horizon, we’re scaling quickly toward long-term growth and IPO readiness. Join us as we define the future of SaaS security! About Obsidian Security Obsidian helps companies figure out what’s happening in their SaaS applications - who’s accessing what, where data is going, and what looks suspicious. Role Description You’ll work across the full stack on the Threat product team: browser extension code that hooks into web applications, backend services processing millions of events, and data pipelines feeding our detection engine. One day you’re in TypeScript debugging why a content script isn’t capturing form submissions on some vendor’s weird SPA. The next you’re in Python fixing a Kafka consumer that’s falling behind. Sometimes you’re in Rust optimizing a hot path in the telemetry collector. Right now, a big focus is shadow AI - enterprises want to know when employees are pasting sensitive data into ChatGPT, Claude, or whatever new LLM chatbot showed up this week. You’ll build the systems that catch this.
Requirements
- 8+ years building software, ideally touching a few different areas (not just one stack forever)
- You actually understand how browsers work. DOM APIs, the event loop, how SPAs route, why CORS exists. Not just “I used React.”
- You’ve built browser extensions before. You know the content script/background script split, message passing, manifest v3 limitations.
- Strong TypeScript. Comfortable in Python. Willing to write Rust (or already do).
- You’ve dealt with data at scale: event streaming, pipelines, high-throughput ingestion.
- Backend basics: APIs, Postgres, Elasticsearch, Kafka or similar.
- Can work without someone telling you what to do next.
Nice To Haves
- You’ve thought about AI security - prompt injection, data exfiltration, that kind of thing
- Background in detection engineering, SIEM, or security ops
- You’ve built or contributed to security tools
Responsibilities
- Own features from “we need to detect X” through production, across extension, backend, and pipeline code
- Write content scripts that interact with web pages and background scripts that coordinate everything
- Build backend services: event ingestion, enrichment, alerting
- Work with security researchers to turn threat intel into working detections
- Help the team get better through code review and design discussions
Benefits
- Competitive compensation with equity and 401k
- Comprehensive healthcare with dental and vision coverage
- Flexible paid time off and paid holiday time off
- 12 weeks of new parent or family leave
- Personal and professional development resources
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Mid Level
Education Level
No Education Listed
