Staff Security Engineer

About us

Pomelo Care is a multi-disciplinary team of clinicians, engineers and problem solvers who are passionate about improving care for moms and babies. We are transforming outcomes for pregnant people and babies with evidence-based pregnancy and newborn care at scale. Our technology-driven care platform enables us to engage patients early, conduct individualized risk assessments for poor pregnancy outcomes, and deliver coordinated, personalized virtual care throughout pregnancy, NICU stays, and the first postpartum year. We measure ourselves by reductions in preterm births, NICU admissions, c-sections and maternal mortality; we improve outcomes and reduce healthcare spend.

What you'll do

Pomelo Care is seeking an experienced cybersecurity engineer to mature our security practices and contribute to our mission to ensure that our patients, clinicians and partners trust us implicitly. This is an exciting opportunity for someone who shares our commitment to information security to be part of a fast-paced environment that will push you to learn while doing.

As a Staff Security Engineer, you'll be a key player in shaping our security posture, safeguarding sensitive healthcare data and enabling our engineering teams to build secure and compliant products. This role requires a versatile generalist with deep technical expertise, excellent software engineering fundamentals and the agility to thrive in a startup environment.

Key responsibilities will include:

• Lead and execute critical cybersecurity initiatives, spanning areas like IAM/RBAC, Application Security, Cloud Security, Endpoint Security, CI/CD and supply chain security, SAST/DAST tooling, penetration testing, bug bounty management, Incident Response, DFIR and SaaS security.
• Develop and implement security solutions and frameworks that proactively mitigate risks and address evolving threats.
• Collaborate cross-functionally with engineering, product, compliance and executive teams to drive adoption of security best practices.
• Own and continuously improve secure software development lifecycle (SDLC) processes and tools.
• Serve as a subject matter expert and mentor, guiding and educating teams on cybersecurity principles, secure coding and threat modeling.
• Participate directly in incident response activities, investigations and post-incident analysis.
• Demonstrate humility, entrepreneurial spirit, strong communication skills and comfort contributing to a dynamic, cross-functional environment.

Who you are

• 10+ years of hands-on experience in cybersecurity with a robust software engineering foundation.
• Direct hands-on expertise in at least 2-3 key security areas (IAM, Application Security, Cloud Security, CI/CD security, Incident Response, etc.).
• Curiosity and openness to learn new cybersecurity domains that may not be familiar.
• Direct experience working in some parts of the full technology stack including Google Cloud Platform (GCP), Kotlin, React/Next.js, Swift, Expo, XCode, Android Studio, yarn, npm, Code Build, among others.
• Previous cybersecurity experience within healthcare environments and startups, demonstrating familiarity with regulatory frameworks (e.g., HIPAA) and supporting security certifications such as SOC 2 Type 2 and HITRUST.
• Strong technical background including full stack software development, system architecture and security fundamentals such as PKI, SAML, JWT, HMAC as well as MITRE ATT&CK and D3FEND frameworks and OWASP top ten mitigations.
• Proven ability to thrive in agile environments, adapting quickly and wearing multiple hats to help scale security programs.
• Strong problem-solving skills, excellent communication abilities, and a collaborative mindset.
• Relevant industry certifications (e.g., CISSP, CISM, CCSP) are highly desirable. OSCP is a big plus.
• Exceptional communication skills and the ability to convey complex security concepts to non-technical stakeholders.