Security Engineer
THE ROLE
This is Floxâs first dedicated security hire. Youâll work directly with engineering leadership to stand up security practices that are pragmatic, developer-friendly, and right-sized for a company at our stage. The role is heavily weighted toward doingâyouâll be the one deploying tools, configuring controls, hardening infrastructure, and closing gaps, not just advising others to do so.
That said, youâll have real input into how we think about controls, priorities, and our security roadmap as we grow. And because our product sits at the heart of the software supply chainâmanaging dependencies, environments, and build artifacts for some of the worldâs largest engineering teamsâsecurity isnât peripheral here. Itâs core to the value we deliver.
If you want to build something from scratch, own it end-to-end, and have your work matter immediately, this is that job. If you want a large team, an existing program to slot into, or mostly governance work, it probably isnât.
WHAT YOUâLL DO
Detection, Monitoring & Response
Help evaluate whether to stand up an internal SIEM or work with an outsourced SOC providerâthen implement whichever path makes sense for where we are as a company. If building internally: deploy and configure the SIEM, write and tune detection rules, and own the alerting stack. If outsourcing: manage the SOC relationship, define what gets escalated and how, and ensure weâre getting signal not just noise
Build incident response runbooks and triage workflowsâthen actually test them (e.g. test backups in case needed for ransomware recovery)
Be the person who sees something and does something about it
Cloud & Infrastructure Security (AWS + Cloudflare)
Scan and harden our AWS posture hands-on: IAM policies, SCPs, security group hygiene, GuardDuty, Security Hub, and automated compliance guardrails need to be evaluated and maintained
Own Cloudflare configuration across WAF rules, DDoS protection, bot management, Zero Trust access, and DLP policiesâkeeping rules current and tuned as the product evolves
Implement IaC security scanning (Checkov, tfsec, or similar) directly into CI/CD pipelines
Own CSPM toolingâconfigure it, triage it, fix things, donât just generate reports
Endpoint Protection
Deploy and manage endpoint protection across developer systems and production endpointsâcovering EDR, device posture, behavior monitoring (including dynamic scans), DLP, and threat detection
Ensure developer machines (Mac-heavy environment typical of engineering teams) meet baseline security standards while minimizing friction that slows people down. Understand when and where detective controls suffice vs preventative controls based on thoughtful risk management and defense in depth
Define and enforce endpoint compliance policies, including disk encryption, patch posture, and application controls
Work with engineering to extend endpoint visibility into production infrastructure where applicable
Software Supply Chain
Secure our build and release pipelines
Consider SLSA framework adoption and supply chain integrity attestations for our catalog and environments
Stand up dependency vulnerability scanning and own the remediation workflow end-to-end for third-party services, libraries, middleware, operating systems, and SaaS
Application Security
Integrate SAST and SCA tooling (Semgrep, Snyk, GitHub Advanced Security) into developer workflows
Participate in security design reviews and threat modeling for new features
Work shoulder-to-shoulder with developers to find and fix vulnerabilities using a risk-based model instead of just vulnerability aging reports
Identity, Access & Entitlements
This is a priority areaâbut implemented right for a company at our size, not over-engineered for a company ten times larger.
Audit and rationalize IAM across AWS, Cloudflare, SaaS applications, and internal tooling; implement the fixes, not just the findings
Drive SSO consolidation, enforce MFA universally, and implement least-privilege access in practice, not just policy
Build a lightweight, repeatable access review processâsomething that actually runs on a cadence and produces real decisions
Own joiner/mover/leaver processes so that entitlements stay clean as the team grows
Evaluate and implement an appropriate identity governance solution for our stageânot an enterprise IGA platform, but something that gives us control and auditability
WHAT WEâRE LOOKING FOR
3â5 years of hands-on security engineering experience, ideally at a software company or cloud-native environment
A demonstrable track record of implementing security tools and controls, not just scoping or recommending them
Solid working knowledge of AWS security services: IAM, SCPs, GuardDuty, Security Hub, CloudTrail, and related tooling
Hands-on experience with CloudflareâWAF rule management, Zero Trust, DLP, or similar; comfort learning what you havenât used yet
Experience deploying and managing endpoint protection (EDR/MDM) across a mixed developer and production environment
Familiarity with software supply chain concepts: SBOMs, dependency management, artifact signing, SLSA
Experience integrating SAST, SCA, or DAST tools into CI/CD pipelines
Comfort with scripting or light automation (Python, Bash, or similar) to build repeatable processes
Ability to work independently, ruthlessly prioritize, and operate without a playbook
The kind of person who is bothered when something is insecure and doesnât wait for someone else to fix it
NICE TO HAVE
Familiarity with Nix, package management, or reproducible build systems
Experience evaluating or managing an outsourced SOC relationship
Prior SIEM deployment or detection engineering experience
Experience supporting a SOC 2 or ISO 27001 audit
Security certifications (CISSP, OSCP, AWS Security Specialty, etc.)
WHY FLOX
First dedicated security hireâyouâll build the program, not inherit someone elseâs backlog
A product developers genuinely love, which makes working with the engineering team easier
Small team, short feedback loops, real ownershipâyour work will be visible immediately
Competitive salary, meaningful equity in a well-funded company, and a flexible hybrid environment