• Conduct comprehensive security assessments and risk analyses of systems, networks, infrastructure, and applications to identify vulnerabilities and drive improvements across both on-premises and cloud postures. • Lead the design, development, and implementation of security controls, tool integrations, security log onboarding, incident response plans, and automation for compliance checks, alerts, and reporting. • Own and manage the administration of core security platforms and technologies, including EDR, SIEM, DLP, vulnerability management, firewalls, and web application firewalls. • Perform technical security assessments, penetration testing, code audits, and offensive/defensive security exercises to continuously evaluate, strengthen, and validate detection and response capabilities. • Utilize AI tools and methodologies to improve productivity, automate threat detection, vulnerability scanning, and alerting, proactively identifying and mitigating emerging threats. • Provide expert guidance and mentorship to internal teams on SIEM, Incident Response, WAF, and evidence requirements for frameworks such as ISO27001, SOC2, PCI DSS, and NIST. • Continuously monitor security events, lead security investigations, and coordinate incident response activities during active security breaches. • Stay current with emerging technologies (including AI, machine learning, and IoT risks), trends, threat intelligence, security certifications, and compliance regulations. • Proactively advocate for process improvement and security innovation across the organization. • Prepare and deliver documentation and dashboards for stakeholders and customers, conveying actionable insights from security-related activities and findings.

Role Description Lead Cloud Infrastructure & SRE: - AWS (ECS, EKS, networking, VPCs, IAM) - Databases (PostgreSQL, Kafka, DynamoDB) - IaC standards, SLOs, error budgets, DR/BCP, and a sustainable on-call program Own CI/CD & Developer Experience: - GitLab CI across ~150 repos: build speed, reliability, test signal, release safety, environments, and paved roads for new services Drive Observability & Cloud Cost: - High signal logging/metrics/tracing/alerting stack - SLO instrumentation - Cloud cost attribution by team/service - FinOps practice Lead Application & Cloud Security end-to-end: - Secure SDLC, SAST/DAST/SCA - Vuln triage and SLAs - Secrets hygiene, IAM, CSPM Partner with IT to support compliance program, customer security questionnaires, and pen-test remediation. Own Vendor & Tooling Portfolio: - Build-vs-buy decisions - Vendor selection, POCs and lifecycle across observability, CI/CD, security, and incident management Grow and Develop the Team: - Hire, onboard, and mentor engineers - Actively participate in recruiting; interview candidates, provide calibrated feedback, and raise the bar - Conduct regular 1:1s, provide actionable feedback, and support career development for each team member - Build a culture of urgency, ownership, customer empathy, and continuous improvement Qualifications - 7+ years of infrastructure or SRE engineering experience - At least 3 years managing platform, infra, or SRE teams in a product-focused SaaS environment - Production AWS ownership — you've run HA workloads on AWS at scale - Infrastructure as code - you've built and scaled IaC practices using Terraform - CI/CD fluency — you've built or owned pipelines in GitLab CI, GitHub Actions, Jenkins, or similar - Observability ownership - you've built or evolved an observability stack - Incident command - you've run customer-facing major incidents - Application security - you've embedded security into the SDLC - Cloud security posture - you own IAM, secrets management, network segmentation, and CSPM - Compliance partnership - you've worked alongside IT on compliance programs - Deeply hands-on - you've kept your technical edge as your teams have grown - Bias for action - you default to doing, not delegating - Active AI adoption - you use AI-assisted tools as part of your daily workflow Preferred - B2B SaaS experience with Salesforce coupling — managed packages, org provisioning, integration patterns - CPQ, billing, or revenue domain — high-stakes correctness, audit-relevant data - Experience standing up a Platform Engineering practice or internal developer platform Tech Stack - Salesforce Platform: Apex, Lightning Web Components (LWC), SOQL, Flows, managed packages - Backend: Java (Spring Boot), Node.js, REST APIs, GraphQL - Frontend: React 16, TypeScript, Material-UI, Webpack - Database: PostgreSQL (AWS RDS), Salesforce SOQL/SOSL - Infrastructure: AWS (Lambda, SQS, S3), Kafka, Docker, GitLab CI/CD - AI Tooling: Claude Code, Windsurf, Copilot (used daily across engineering) - Collaboration: Jira, Slack, Gem, Fellow, Confluence

• Define and evaluate the implementation of cybersecurity controls, including but not limited to, embedded operating system, encryption, access controls, network security, and secure coding practices. • Specific hands-on knowledge with implementation of cybersecurity embedded operating systems, networking, and cryptographic controls. • Conduct, with a cross-functional team, process activities to define requirements, find design deficiencies, detect implementation defects, verify the product’s cybersecurity posture, and otherwise secure Torc’s products. • Collaborate with product development teams to embed security into their design and development lifecycle of products and other software development activities. • Stay abreast of emerging cybersecurity threats and technologies and continuously update our software security approaches, strategies, and solutions accordingly. • Liaise with external security vendors and partners, managing relationships, and ensuring the effective integration of third-party security solutions. • Prepare and present evidence in the cybersecurity case to demonstrate readiness to launch new products or release new software versions from a cybersecurity perspective. • Train internal stakeholders on security practices and act as a resource where expert cybersecurity assistance is needed.

Principal / Staff Security Engineer - AI Platform & DevSecOps Palo Alto, California, United States The Role AiDASH protects the critical infrastructure that delivers power to tens of millions of people. We are SOC 2 Type II certified today, and we're working toward ISO 27001 and ISO 42001 certifications in 2027. As we embed GenAI more deeply into our SaaS products (RAG pipelines, agentic / MCP services) and roll out AI-assisted development internally, the threat landscape is shifting fast. Autonomous adversaries, Mythos-class threat actors, prompt injection, model exfiltration, and vibe-coded internal apps spun up by non-engineers are now part of the daily attack surface. We're hiring a Principal or Staff Security Engineer to be our deepest technical voice on security — covering DevSecOps, AI/LLM security, cloud and endpoint defense, IT-Security, and the governance work that will land us ISO 27001 and 42001 certifications in 2027. You'll architect the strategy, pick the right tools where gaps exist, run the audits, and grow the function. You will report to senior leadership and partner with platform, ML, DevOps, and IT leadership across the company. If you've been waiting for a chance to lead the security program at a Series C AI company that ships production AI to critical infrastructure operators, this is that role. The Team You'll partner with our existing security and compliance team based in India — a security engineer plus two compliance specialists, currently within the DevOps organization — and serve as the most senior security IC at AiDASH and the company's authority on AI/LLM security. This role represents the next phase of our security investment: bringing senior-IC depth, AI-native security leadership, and modern detection engineering to a program that has so far been operated alongside DevOps. How you'll make an impact: - DevSecOps & AppSec - Operate and mature our AppSec toolchain across CI/CD — SAST, DAST, SCA, secrets scanning, and IaC policy-as-code. Deepen coverage and evaluate additional tooling where gaps are real - Run threat modeling and secure-design reviews; champion shift-left so security is part of every PR, not a gate at the end - Operate the AIBOM / SBOM toolchain; enforce risk-tiered dependency controls and extend SLSA practices to model artifacts - AI & LLM Security - Harden production GenAI deployments on AWS (managed model APIs, agentic / MCP services) — IAM, VPC routing, prompt-layer guardrails, output filtering, rate/cost controls - Codify OWASP LLM Top 10 and MITRE ATLAS controls into the SDLC; introduce LLM eval-as-gate in CI - Govern internal AI-assisted developer tooling — DLP for what egresses to external model providers, sensitive-data discovery in prompts, and acceptable-use telemetry - Stand up controls for vibe-coded apps and shadow AI: discover, classify, gate with sane defaults, and bring under the SDLC - ISO 27001 / 42001 & Security Governance - Lead the company's path to ISO 27001 and ISO 42001 (AI Management System) certifications in 2027 — scope the management systems, run gap assessments, build the control sets, and steer the audit cycles - Maintain our SOC 2 Type II posture; manage the evidence pipeline, control mappings, and external auditor relationships - Maintain alignment with the NIST AI RMF and translate emerging AI regulation (EU AI Act, US state AI laws, utility-sector mandates) into concrete engineering requirements - Cloud, Endpoint & IT-Security - Operate our endpoint, cloud, identity, and SIEM platforms end-to-end. Own detection engineering, tuning, and integration with the rest of the stack - Harden AWS posture across accounts (Organizations, SCPs, Control Tower); mature Kubernetes security (admission controllers, runtime visibility, pragmatic hardening) - Stand up zero-trust privileged access — short-lived, audited sessions for production infra, databases, and Kubernetes - Lead IT-Security: device posture, identity (SSO, MFA, SCIM), network segmentation, SaaS posture, and offboarding hygiene - Detection, Response & Resilience - Build and tune detections in our SIEM; own the on-call rotation, runbooks, and IR retainer relationships - Run tabletop exercises across Eng, Legal, and Exec; lead post-incident reviews with blameless write-ups - Translate AI threat research — prompt injection, data poisoning, model inversion, agent hijacking — into detections and controls that ship with every release What we're looking for: Minimum qualifications - 10+ years in security engineering, with 3+ years owning a DevSecOps or platform-security program in a cloud-native environment (AWS strongly preferred) - AppSec depth: shipped and operated SAST/DAST/SCA (e.g., Codacy, Semgrep, CodeQL, Snyk, Veracode, or equivalents) at production scale - AI security: hands-on hardening of a production LLM deployment (AWS Bedrock, Azure OpenAI, Vertex AI, or equivalent) — IAM, VPC routing, guardrails, eval gating. RAG-demo experience alone does not meet the bar - EDR/XDR + cloud security platform operator: production experience administering CrowdStrike Falcon (Insight/XDR, Cloud Security CNAPP/CSPM, Identity Protection, or Next-Gen SIEM), SentinelOne, Microsoft Defender XDR, or equivalent, including custom detection authoring - Zero-trust access: experience standing up or operating a privileged-access broker (e.g., Teleport, StrongDM, BeyondTrust, CyberArk, HashiCorp Boundary) - SBOM/AIBOM tooling: operated Interlynk, Anchore, Dependency-Track, or equivalent at production scale - Vulnerability management: production experience with Trivy, Aqua, Wiz, Orca, Lacework, or equivalent across containers, IaC, and SCA - IaC & policy-as-code: Terraform plus production policy-as-code (OPA/Rego, Checkov, Kyverno, tfsec, or equivalent) in a live pipeline - Container & Kubernetes security: production experience with admission controllers (Kyverno, Gatekeeper), runtime visibility (Falco or equivalent), and pragmatic Kubernetes hardening (gVisor, Kata where it earns its keep) - DLP experience: real-world sensitive-data discovery across SaaS or developer tooling, including AI-assisted environments - Compliance fluency: has personally driven SOC 2 Type II or ISO 27001 controls to audit, and can read a control map without flinching. - Bay Area based; able to work hybrid (3 days/week in office) Preferred qualifications - Hands-on MCP work — design, hardening, or auth — even early-stage - ISO 42001 implementation experience; ISO/IEC 42001 Lead Implementer or Lead Auditor certification, or comparable AI-governance leadership - Familiarity with NIST AI RMF and the EU AI Act's high-risk system requirements - Prompt-layer DLP and AI runtime guardrails (e.g., Nightfall, Lakera Guard, Cyberhaven, Harmonic Security, Protect AI, NVIDIA NeMo Guardrails) - LLM eval-as-gate in CI (e.g., Promptfoo, Garak, DeepEval, Giskard) and AI red-teaming experience - Modern PAM / zero-trust rollouts (Teleport, StrongDM) and SaaS posture management (e.g., AppOmni, Obsidian) - Experience securing SaaS products sold into regulated sectors (utilities, energy, financial services, healthcare) - Public signals: conference talks (fwd:cloudsec, DEF CON AI Village, BSides) or open-source contributions in CI/CD, MCP, or LLM-deployment security - Leadership of incident response for a material security event - Comfort working with remote, distributed engineering teams across US/India time zones What you'll love: - Comprehensive Medical, Dental, and Vision Coverage: 100% coverage for employees and 80% for their spouses and children - Health Reimbursement Account (HRA): 100% funded by AiDASH to cover medical deductibles - 401(k) Plan: Begin contributing after three months of employment to prepare for your future. Currently, no company match is offered - Parental Leave: Supportive parental leave with 16 weeks for primary caregivers and 4 weeks for secondary caregivers - Generous Vacation Policy: Accrue 20 vacation days per year, plus enjoy an additional flex holiday to celebrate whatever feels most important to you! - Winter Break: From December 25th through January 1st, we give everyone time off to recharge and enjoy time with family and friends! We offer a competitive base pay range for this full-time position, which is between $210,000 and $270,000 per year. This range reflects the anticipated base salary for new hires. In addition, this role is also eligible for an annual performance bonus and equity. We strive to ensure our compensation packages are equitable and aligned with industry standards. Your recruiter can share more about compensation during the hiring process.