Job Closed
This listing is no longer active.
Unearth your secrets.
Manager, Security Research
Location
United States
Posted
40 days ago
Salary
$225K - $260K / year
Seniority
Senior
Job Description
Manager, Security Research
Truffle Security Co.
• Owning and driving the research roadmap, focusing on the highest-impact problems in leaked credentials, secrets exposure, and non-human identity security. • Leading a team of experienced researchers, setting direction, assigning ownership of critical initiatives aligned to the roadmap, and ensuring research output consistently translates into product and company impact. • Identifying and validating novel leak surfaces across code, SaaS tools, logs, datasets, and emerging ecosystems (including AI/LLMs). • Designing and running large-scale scans and experiments to uncover real-world exposures, validate impact, and understand attacker behavior. • Developing verification systems at scale to distinguish real, exploitable secrets from noise—improving precision without sacrificing coverage. • Publishing high-quality technical research (blogs, reports, disclosures) and representing Truffle externally through talks, conferences, and community engagement. • Acting as a bridge between research and product, ensuring insights turn into shipped capabilities and roadmap decisions. • Collaborating cross-functionally with marketing, sales, and developer relations to turn research into clear, compelling narratives for customers and the broader security community.
Job Requirements
- Proven experience leading and growing a research team, with strong ownership over direction and outcomes.
- Strong product instincts: you know the difference between interesting research and work that actually improves customer outcomes.
- Deep expertise in secret scanning, including detection techniques (regex, entropy, ML-assisted), and especially verification at scale.
- Track record of discovering non-obvious, high-impact vulnerabilities or leak surfaces and validating their real-world exploitability.
- Experience turning research into shipped product improvements, not just standalone findings.
- Strong attacker mindset—you think in terms of how systems break, not just how they’re designed.
- Ability to work with messy, high-volume data (credentials, tokens, secrets) and turn it into clear insights and system improvements.
- Experience building or working on security scanners, detection systems, or large-scale data pipelines.
- Experience defining metrics, benchmarks, and evaluation frameworks for detection quality (precision, recall, verification accuracy).
- Strong technical communication skills, with experience publishing research or speaking publicly.
- Experience working cross-functionally with product, engineering, and go-to-market teams.
- Familiarity with non-human identity systems (API keys, service accounts, OAuth tokens).
Benefits
- Fully remote within the U.S. – We believe opportunity shouldn’t be limited by geography. Our remote-first approach lets us hire the best people across the United States and empowers them to do their best work from wherever they are.
- A culture of mentorship, equity, and psychological safety – We’re committed to fostering an environment where you can thrive, learn, and feel valued.
- Competitive salary & meaningful equity – Be rewarded for your contributions with a strong compensation package and a stake in our shared success.
- Flexible paid time off – We operate with a high level of autonomy and trust, giving you the flexibility to take time off as needed—no strict limits, just the expectation that you’re meeting your commitments and getting your work done.
- 14 paid holidays – Including Thanksgiving, Winter Break, and "Truffle Holidays" when the entire company takes a well-deserved day off together.
- Comprehensive health benefits – Medical, dental, and vision coverage with 80% of premiums covered for you and your dependents.
- Remote work stipend – Get set up for success with an $800 new hire stipend and $100/month to keep your workspace comfortable.
- Health & wellness stipend – $1,200/year to support your physical, mental, and emotional well-being— we believe that feeling good helps you do great work.
- Learning & development stipend – $2,000/year to invest in your growth, whether it’s courses, certifications, or industry conferences.
- 401(k) match – We match 100% of the first 6% of your contributions on every paycheck, helping you build financial security for the future.
- 100% remote + company off-sites – Twice a year, we come together in amazing locations like Hawaii, Cabo, and the Rocky Mountains to collaborate and connect.
Related Guides
Related Categories
Related Job Pages
More Security Engineer Jobs
Application Security Lead
HightouchSync customer data from your warehouse into the tools your business teams rely on.
• You'll own Hightouch's application security posture end-to-end. • Shape what security looks like here as we scale from 70 to 140+ engineers. • Solve hard problems at the intersection of security and distributed systems. • Improve our rate limiting, abuse detection, and granularity of access control. • Support our multi-region and multi-cloud backend, including launching Hightouch in new regions to support data residency requirements.
• Vulnerability management and offensive testing: Own the vuln lifecycle end-to-end — intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA — and manage external pen tests and targeted assessments. Report regularly on status, SLA performance, and trends. • Security operations and incident response: Manage our MSSP partner for 24/7 SIEM and SOC monitoring; ensure telemetry, detections, and playbooks match our threat model. Serve as incident commander for real events, and run regular tabletops and post-incident reviews. • Policy, controls, and risk: Define and maintain Reach’s security policies and control framework. Design, implement, and measure the effectiveness of controls; maintain a risk register; and surface material risk decisions to leadership. • Compliance and audits: Own SOC 2 Type II and PCI DSS end-to-end with continuous control monitoring and evidence collection between audits. Serve as the primary contact for external auditors. • Application and cloud security: Partner with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection). • Identity and access management: Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes, in partnership with IT and People. • Third-party and customer security: Run Reach’s vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews. • Security awareness and training: Run phishing simulations, ongoing and role-targeted training, and regular company-wide sessions on new threats and best practices. • Executive reporting: Provide regular security posture updates with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness). • People, budget, and tooling: Act as a mentor for your report; own the security budget and tool stack — evaluating, procuring, rationalizing, and retiring tools as the program matures.
Manager, Security Engineering
ActBlueActBlue is a fundraising software tool geared towards liberal people and organizations. The company offers fundraising tools, technology, and software designed to help grassroots o
• Team Leadership & Development: Mentoring, and growing security engineers. This includes running 1:1s, career development planning, performance reviews, and building a culture of continuous learning around evolving threats and technologies. • Security Execution: Partnering with engineers on your team and the Sr. Director of Security and Integrity you’ll define and prioritize the team's quarterly and annual security initiatives, aligning them with business objectives and frameworks like NIST CSF, CIS Controls, or SOC 2. Translating risk assessments into actionable engineering work. • Cross-Functional Collaboration: Partnering with Platform, SRE, Legal, IT, Compliance, and Product teams to embed security into the SDLC, incident response processes, and vendor management workflows. • Incident Response & Preparedness: You’ll help the team to maintain the Security incident response program: runbooks, running tabletop exercises, on call schedules, and ensuring timely response to alerts and events. • Product and Cloud Security: Drive product security practices and cloud security posture across our AWS infrastructure, ensuring secure architecture, configuration, and continuous monitoring of our production environments. • Vulnerability & Risk Management: Overseeing application security testing (SAST, DAST, SCA), penetration testing programs (including bug bounty), and ensuring vulnerabilities are triaged, prioritized, and remediated within SLA. • Corporate Security: Partnering with IT, you and the team will help ensure strong protections in corporate security including spam, EDR, and device security is mature and well executed. • Vendor & Third-Party Risk: Helping the team evaluating security vendors, and overseeing third-party risk assessments. • Budget & Resource Planning: In coordination with the other department managers; manage the security budget, justifying tooling spend, headcount requests.
• Develop and implement threat modeling to identify security risks across applications and infrastructure. • Conduct vulnerability scanning, penetration testing, and security assessments to detect weaknesses. • Define and enforce secure coding practices in collaboration with development teams. • Work with DevOps to integrate security into CI/CD pipelines and automate security testing. • Monitor and respond to security incidents, conducting root cause analysis and implementing preventative measures. • Ensure compliance with security standards and regulations (e.g., ISO 27001, GDPR, SOC 2). • Design and implement identity and access management (IAM) policies, encryption standards, and authentication mechanisms. • Collaborate with product teams to conduct security reviews of features, APIs, and third-party integrations. • Develop incident response plans, security documentation, and best practices. • Stay ahead of emerging threats, vulnerabilities, and security technologies.
