• Lead secure design efforts. Partner with engineering teams on secure design and code reviews. Identify and prioritize risks early in the product lifecycle. • Build secure by default systems. Develop paved paths that systemically reduce risk and make secure development the easiest path for engineers. • Perform offensive security testing. Conduct penetration tests and code audits on new and existing products from an adversarial lens. • Improve our security tooling. Integrate and improve our static analysis, supply chain security, and vulnerability management capabilities across engineering pipelines. • Operate our responsible disclosure program. Run and improve our program by furthering automation, validating submissions, and coordinating remediation. • Improve our products. Write and ship code to remediate vulnerabilities in production systems and improve the security posture of WorkOS products. • Work directly with customers. Help build our customers' trust by directly engaging with their security-related questions and concerns.

• Lead security architecture and assessment reviews for cloud-native and hybrid solutions • Validate solution designs against industry frameworks such as National Institute of Standards and Technology (NIST CSF), Center for Internet Security (CIS Benchmarks), and Cloud Security Alliance (CSA CCM) • Conduct cloud penetration testing following CREST and CHECK methodologies • Validate Infrastructure as Code (IaC) security controls and CI/CD pipeline security • Lead compliance assessments including ISO 27017, ISO 27018, SOC 2, GDPR, NIS2, and DORA • Assess cloud governance frameworks and Cloud Security Posture Management (CSPM) implementations • Coordinate cloud security audits with internal and external stakeholders • Assess cloud IAM architectures and privileged access management controls • Validate encryption standards, key management processes, and data residency controls • Review SSO, MFA, and least-privilege implementations

• Protect the organization’s identity infrastructure by designing, implementing, and operating secure authentication, authorization, and access controls • Focus on Microsoft Entra ID–centric identity security, including Conditional Access, privileged access, identity lifecycle automation, and identity-driven phishing protection • Serve as the first responder for identity-based security events and partner closely with Security Engineering and GRC to reduce breach risk while enabling secure business growth • Design, implement, and maintain secure identity architectures using Microsoft Entra ID • Manage user, group, device, and service-principal identity lifecycle controls • Enforce least-privilege access using role-based access control (RBAC) • Design and operate Conditional Access policies (MFA, device trust, location, risk-based access) • Implement passwordless and phishing-resistant authentication (FIDO2, TAP) • Maintain emergency access and break-glass account controls • Implement and operate Privileged Identity Management (PIM) • Reduce standing administrative privileges across Entra ID and Azure • Conduct periodic access and privilege reviews • Automate joiner/mover/leaver processes using PowerShell and Microsoft Graph • Support access reviews and entitlement management • Integrate identity controls with HR and IT provisioning systems • Design and maintain email authentication controls (SPF, DKIM, DMARC) • Implement and manage Microsoft Defender for Office 365 anti-phishing policies • Lead identity-focused response to phishing events: Token revocation and forced sign-out • Monitor identity-related alerts and risky sign-in activity • Support investigations involving credential theft or unauthorized access

• Supporting and maintaining ISMS, PIMS, and BCMS frameworks • Participating in external certifications and audits (PCI DSS, ISO 27001, ISO 27701, ISO 22301, GDPR, DORA) • Managing access control processes: IAM / SSO / MFA, Joiner–Mover–Leaver processes, regular access reviews and privilege control • Operating and tuning information security tools, including: vulnerability scanners, IAM and access control systems, anti-phishing tools and security awareness platforms • Analyzing alerts and findings, including false positives, and driving remediation • Maintaining and updating asset and information security risk registers • Supporting incident response activities and post-incident analysis • Conducting and tracking Disaster Recovery (DRP) and Business Continuity (BCP) tests, ensuring identified gaps are addressed