Note: The job is a remote job and is open to candidates in USA. Staffing Science is a fast-growing, well-funded Series B developer infrastructure company seeking a Founding Security Engineer. In this role, you will be responsible for building security from the ground up, including detection and response, application security, and managing software supply chain security, while directly engaging with enterprise customers about their security posture.
Responsibilities
- Standing up detection and response from scratch — SIEM or outsourced SOC, your call, then own it
- Hardening AWS (IAM, GuardDuty, Security Hub, SCPs) and Cloudflare (WAF, Zero Trust, DLP) hands-on — not writing recommendations for someone else to implement
- Writing and enforcing security scanning directly into Infrastructure as Code — Terraform is the backbone here, and you'll be embedding tools like Checkov/tfsec into CI/CD so bad config never ships in the first place, not just catching it after deploy
- Bringing order to endpoint security across a Mac-heavy dev fleet and production infrastructure
- Owning software supply chain security end-to-end — SBOMs, SLSA, dependency scanning, remediation — for a product where that's literally the customer value prop
- Getting genuinely hands-on with application security : integrating SAST/SCA tooling (think Semgrep, Snyk, GitHub Advanced Security) straight into developer workflows, sitting in on design reviews and threat modeling for new features, and working shoulder-to-shoulder with engineers to actually fix vulnerabilities using a risk-based model — not generating an aging report and hoping someone reads it
- Rationalizing IAM, SSO, and access reviews so entitlements stay clean as the company scales
- Talking directly to enterprise customers about security posture — this product runs in serious, security-conscious environments, and you'll be the credible technical voice in those conversations
Skills
- 5+ years of hands-on security engineering, ideally at a software or cloud-native company — bonus points if that company was small enough that you built something instead of maintaining it
- Ability to code or script — this isn't optional
- Real application security chops — you can read code, you understand common vulnerability classes, and you've partnered with developers on fixes rather than just flagging findings and moving on
- Hands-on Infrastructure as Code experience — Terraform specifically — and you know how to build security into the pipeline itself, not just audit what's already deployed
- Knowledge of AWS security cold and real Cloudflare experience (or the aptitude to pick it up fast)
- Understanding of software supply chain security — SBOMs, artifact signing, dependency risk — as more than buzzwords
- Experience deploying and managing EDR/MDM across mixed dev and production environments
- Proactive problem-solving attitude — you're the person who sees something broken and fixes it, rather than filing a ticket and waiting
Company Overview