Staff Security Engineer

About the Role:

We're looking for a Senior Security Engineer with deep technical expertise in application security, penetration testing, and offensive security practices. You will lead efforts to proactively identify and exploit vulnerabilities across our products and infrastructure, working alongside engineering and security teams to design robust defences and build security into everything we deploy.

This is a hands-on technical role with significant influence over the security posture of the company, from code to cloud.

Duties and Responsibilities:

----------------------------

Application Security

• Perform code reviews, threat modelling, and architecture assessments across internal and customer-facing applications.
• Guide engineering teams on secure design patterns, libraries, and development practices.
• Integrate and maintain security tooling (SAST, DAST, SCA) into CI/CD pipelines.
• Collaborate with product and engineering teams to remediate identified vulnerabilities and design secure solutions.

Penetration Testing

• Conduct manual and automated penetration tests against Ethos Web Application, APIs, infrastructure, and cloud environments.
• Simulate attacker behaviors to assess technical weaknesses and business risks.
• Create detailed, developer-friendly reports with risk ratings and actionable remediation guidance.
• Re-test findings and validate security fixes in collaboration with product owners.

Offensive Security

• Plan and execute red team operations, simulating advanced persistent threat (APT) scenarios.
• Develop custom tools, scripts, and exploits to test detection and response capabilities.
• Collaborate to improve detection, logging, and incident response based on attack insights.
• Contribute to the development of offensive security playbooks and adversary emulation plans.

Other Responsibilities

• Mentor junior team members and evangelize security best practices across the company.
• Participate in investigations, threat hunting, and incident response activities; build playbooks for specific incident response scenarios
• Communicate risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns
• Support security audits, compliance efforts, and executive briefings with technical depth.