• Run Cobalt's endpoint and cloud asset security stack across managed laptops, desktops, and cloud infrastructure — including EDR, vulnerability management, and continuous compliance monitoring tooling • Administer Cobalt's compliance automation platform as the system of record for controls and evidence — manage personnel records, reconcile against HRIS and identity provider data, and handle edge cases outside the primary HRIS • Own end-to-end onboarding and offboarding security across employees, contractors, and external partners — verify new hires complete security gating before access is provisioned, apply the right requirements for each personnel tier, and close out access promptly when people leave • Triage alerts from EDR, SIEM, and the vulnerability scanner; recommend patches, file risk acceptances, and gather evidence to close out remediations • Co-own Cobalt's SOC 2 program — coordinate with auditors, gather evidence from internal teams, and run control testing (SSO, IAM, change management, access reviews) ahead of fieldwork • Maintain Cobalt's security policies (vulnerability management, logging and monitoring, incident response, access control), keep them current as the business evolves, and draft new policies when we identify gaps • Own the customer security questionnaire pipeline — partner with Sales, GTM, and product leads to turn around SIG, CAIQ, and bespoke vendor assessments quickly and accurately • Run vendor security reviews for new software and services Cobalt adopts, with clear turnaround expectations and a process the rest of the company can rely on • Triage suspected phishing reports and serve as incident manager when something happens — scope, contain, document, and run the postmortem • Own annual security awareness training rollout and tracking across the company • Partner with Engineering to secure the Cobalt Monitoring Intelligence platform at the edge and bring security perspective into design and code review • Support pen test engagements end-to-end: scoping, remediation tracking, and re-test follow-up

• Conduct browser security audits (special pages, DuckAI integrations, password manager, etc.) • Execute on SERP security mitigations (XSS prevention, tooling development to help engineers write safer code) • Manage application security scanning infrastructure setup (aka SAST/DAST integrations in GitHub) • Deliver on Internal red-team operations (simulated attack scenarios) • Support security triage

• Diseñar e implementar prácticas de Seguridad en la Nube y DevSecOps • Asegurar la seguridad de los datos en entornos de nube • Desarrollar flujos de trabajo automatizados de detección y respuesta

• Safeguard millions of users by embedding security into Firefox, Mozilla VPN, and other mission-critical products. • Ensure software products are secure by embedding security into the full Software Development Life Cycle (SDLC). • Anticipate, prioritize and mitigate risks through proactive threat modeling, security assessments, security testing, and automation. • Perform security code reviews • Lead penetration testing on web, mobile, and embedded applications, then guide remediation efforts. • Develop and maintain automated security tests within CI/CD pipelines to catch vulnerabilities early. • Partner with engineers to integrate security throughout the software development lifecycle—not as an afterthought, but as a core design principle. Provide security guidance, develop secure solutions, and facilitate secure releases. • Help define and enforce security policies and provide security guidance to development teams. • Help shape Mozilla's security culture through collaboration, guidance, and education.