UserGems 💎
Senior Security Engineer
Vaga remota de Security Engineering com fit claro de localização do candidato.
Publicada4 de jul. de 2026
Países elegíveis64 países aceitos
Sinal de senioridadeSenior
Modelo de trabalhoRemoto
Locais aceitos para candidatos
Resumo da vaga
Senior Security Engineer
Requisitos e responsabilidades
Conteúdo da vaga extraído em seções para revisão mais rápida.
You'll thrive here if you:
- Lean strongly into compliance/GRC operations - with enough hands-on AWS comfort to action Drata-flagged remediations independently.
- Want to own operations end-to-end and influence direction - you propose, the Sr. Director approves, you ship.
- Like a startup environment where priorities are clear, ownership is real, and you ship and move on.
What You'll Do
- Own SOC 2 - keep Drata green and audits clean.
- Lead ISO 27001 implementation, then ISO 42001.
- Run the customer security questionnaire process (SafeBase + Trust Center) - fast turnaround directly unblocks revenue.
- Drata-driven AWS remediation. Action simple Drata findings directly in AWS yourself - IAM tweaks, S3 settings, secrets hygiene, audit-trail follow-ups. Larger or higher-risk changes go to engineering.
- Vulnerability management. Oversee and extend the existing scanner-findings automation in Linear; hit SLAs.
- Light secure code review. Spot-check high-risk features and new repositories (especially AI/LLM systems) before they go to production; escalate deeper AppSec questions to engineering and external pen testers.
- Threat detection & response. Tune GuardDuty findings, evaluate central logging / SIEM options, run tabletop exercises, mature the IRP from written to rehearsed.
- Offensive security. Run the annual external pen test, perform regular internal pen tests yourself, handle external researcher reports and bug bounty payouts.
- Onboarding & offboarding. Own access provisioning and revocation.
- Be the security person at UserGems. Internally and externally, you are the face of security - questions, escalations, customer security reviews, and audit conversations come to you.
You'll own:
- ISO 42001 readiness from scratch.
- Model & data governance for Gem-E and our self-hosted LLMs on Azure: data residency posture, prompt-injection threat modeling, access controls on training/inference data.
- Internal AI tooling built by non-engineering teams. Sales, marketing, and ops are building their own AI-powered internal tools. You'll shape how this scales safely - guardrails, access boundaries, monitoring, and review.
- AI in our own security stack - extending our in-house Linear/scanner automations, AI-assisted questionnaire workflows, and security review of AI-generated code.
- Customer-facing AI security narrative - shaping the answers, Trust Center statements, and policies that prospects' security teams will scrutinize.
Our Tech Stack
- Cloud: AWS (primary), some Azure (self-hosted LLMs)
- Compliance / GRC: Drata, SafeBase (Trust Center), Linear
- Detection / Endpoint: AWS GuardDuty, CrowdStrike Complete (managed MDR)
- Scanners feeding Linear: GitHub, AWS Inspector, ZAP
- Infra (owned by engineering): Terraform, Kubernetes, Docker, GitHub
Non-negotiable:
- You have personally owned a SOC 2 or ISO audit end-to-end - as the operational owner accountable to the auditor, not "on the team" - and delivered a zero-exception report. If you can't honestly say "yes" to this, please don't apply.
- Working AWS knowledge - you can navigate the AWS console, action Drata-flagged remediations yourself (IAM, S3, KMS, audit trails), and read CloudTrail when investigating an alert. You do not need to be a cloud-infrastructure engineer.
- Can understand Terraform with AI help - fluency isn't required. What matters is that you can drive AI to explain a diff, follow it critically, and catch when AI is wrong about IaC. Engineering owns infrastructure authorship.
- High ownership and accountability - you ship audits, questionnaires, and policy work without a project manager keeping you on track.
- Excellent written English - questionnaires, Trust Center, and policies are customer-facing.
- Comfortable with async collaboration across Europe and the U.S. Most US work is async, but some late-afternoon CET availability helps - around once a week, same-day US input turns a multi-day back-and-forth into a 10-minute conversation.
Non-negotiable:
- Solid grasp of attacker techniques and modern application security (web/API, cloud, supply chain).
- Hands-on secure code review experience, including AI/LLM systems.
- Comfort tuning detection (GuardDuty / SIEM) and running incident response.
Nice to haves
- ISO 27001 Lead Implementer or Lead Auditor experience.
- ISO 42001 / AI governance familiarity.
- Hands-on Kubernetes / container security.
- Light coding ability (Java preferred) - our security automation lives in code, and you'll extend it.
- Experience with auditing LLM security
Details
- You’ll be part of a fast-growing startup as it scales from 60 employees to 100+
- Customers love us! (see our Customers page and G2 Reviews). They see ROI in Closed Won revenue generated
- Employees love us! (see our Glassdoor & RepVue page)
- We're a remote-first company with employees across the Americas and Europe
- We have weekly standups, virtual happy hours, and in-person off-sites around the world so that everyone stays connected
- We are customer-focused and data-driven in everything we do
- We value individual differences in the workforce and strive to make everyone feel welcomed and accepted, regardless of their skin color, gender, or sexual orientation
- We offer a competitive salary and benefits
Vagas similares
Mantenha uma lista reserva.
AWS 13 países aceitos
Senior Software EngineerBaltimore BannerVer vaga AWS 13 países aceitos
Senior QA Automation EngineerSubway EcommerceVer vaga Eas Build, Expo 13 países aceitos
Senior/Lead Mobile EngineerVox MediaVer vaga Api Testing, Aqa 13 países aceitos
Senior Mobile QA EngineerSubway EcommerceVer vaga Stack
Use estas tags para comparar vagas remotas similares.
Elegibilidade de localização
Candidatos devem aplicar apenas quando o país do perfil estiver listado aqui.
Seu perfilPaís não definidoEntre para comparar seu país com esta vaga.
Ver todos os 64 países aceitos
AlbâniaArgentinaÁustriaBahamasBarbadosBielorrússiaBélgicaBelizeBolíviaBrasilBulgáriaCanadáChileColômbiaCosta RicaCroáciaChipreTchéquiaDinamarcaRepública DominicanaEquadorEl SalvadorEstôniaFinlândiaFrançaAlemanhaGréciaGuatemalaHondurasHungriaIslândiaIrlandaItáliaJamaicaLetôniaLituâniaLuxemburgoMaltaMéxicoMoldáviaMontenegroPaíses BaixosNicaráguaMacedônia do NorteNoruegaPanamáParaguaiPeruPolôniaPortugalPorto RicoRomêniaSérviaEslováquiaEslovêniaEspanhaSuéciaSuíçaTrinidad e TobagoUcrâniaReino UnidoUruguaiEstados UnidosVenezuela
Fluxo de contratação
O WithMira mostra a vaga e depois envia candidatos para a aplicação da empresa.
1Confira fit da vaga, stack e elegibilidade de localização no WithMira.
2Abra a página de aplicação da empresa pelo link rastreado.
3Salve a vaga ou assine oportunidades similares antes de sair.