Who you are

• 5–7 years of experience in product security, cloud security engineering, or a related field
• Strong knowledge of Google Cloud Platform (GCP) services and security best practices, including IAM, networking, data protection, and workload runtimes
• Hands-on experience with penetration testing coordination, threat modeling, and risk assessment
• Proficiency with Infrastructure-as-Code tools (Terraform, policy controllers, CI/CD integrations)
• Familiarity with designing and enforcing least-privilege IAM and conducting access reviews
• Ability to communicate security risks and recommendations clearly to engineering and leadership audiences
• Professional certifications such as GCP Professional Cloud Security Engineer, OSCP, or CISSP
• Experience building reusable security guardrails and automation at scale
• Familiarity with Kubernetes (GKE) and container security
• Prior success mentoring engineers or embedding security practices into development lifecycles
• Experience reporting security metrics and influencing technical and business decision-making

What the job involves

• We're looking for a Senior Product Security Engineer to lead product and cloud security by embedding into engineering workflows and acting as the subject matter expert for GCP
• It involves running architecture reviews, leading threat modeling, and driving penetration testing engagements from scoping to remediation
• The role also designs and enforces least-privilege IAM, builds security guardrails through policy and infrastructure-as-code, and ensures issues are triaged, tracked, and resolved. Beyond execution, it provides enablement and mentorship for engineers, clear documentation, and transparent reporting to security leadership
• This role is open remotely across the U.S. and Canada
• Run security architecture reviews for product features and our GCP environment in partnership with product and engineering; lead threat modeling and document risks, controls, and clear recommendations
• Own penetration testing engagements end‑to‑end: vendor/scoping, rules of engagement, test coordination, finding validation and severity, retest, and remediation tracking to closure
• Act as the GCP security SME for project teams, advising on secure patterns for networking (VPC, private access, perimeter controls), data protection (KMS, secrets), compute runtimes (GKE/Cloud Run/GCE), CI/CD (Cloud Build, Artifact Registry), and logging/monitoring
• Design and enforce least‑privilege IAM in GCP: role design (custom vs. predefined), service account lifecycle, workload identity, IAM Conditions, org/folder policy constraints, and periodic access reviews
• Triage and route product security related findings to the right engineering owners; tune rules to reduce noise, set severities and SLAs, and drive remediation - capturing justified exceptions
• Contribute security guardrails via policy and infrastructure‑as‑code (e.g., org policies, constraints, reusable Terraform modules, admission/policy controllers) and integrate pre‑merge checks in CI/CD
• Create practical documentation and runbooks (design review checklist, IAM standards, exception process) and deliver targeted enablement sessions for engineers and PMs
• Report progress and risks with metrics and status updates to security leadership; proactively escalate blockers and propose tradeoffs
• Mentor engineers and code owners on secure‑by‑default coding and architecture best practices

Benefits

• Health, dental, & vision stipend
• Flexible vacation and work arrangements
• Generous equity