• Design, build, and maintain secure CI/CD pipelines with security gates that catch issues before they reach production. • Systematically, consistently and automatically capture the risk exposure of Chainguards products. • Implement and enforce software supply chain security controls: signed artifacts, SBOMs, provenance attestation (SLSA, Sigstore / Cosign). • Proactively identify emerging customer security needs, and build solutions to meet these. • Lead security architecture reviews and threat models for Kubernetes-based workloads running on GCP and AWS. • Harden container images, Kubernetes cluster configurations, and cloud IAM postures – minimising attack surface across our product stack. • Define and drive adoption of baseline security standards: pod security standards, network policies, workload identity, secrets management. • Evaluate and operationalise CNAPP / CSPM tooling to maintain continuous visibility into cloud-native risk.

• Own the product security research agenda for Chainguard scanning the broader ecosystem, identifying emerging attack patterns, and translating them into clear risks and opportunities for Chainguard and our customers. • Shape security direction across products and platforms, partnering closely with Product, Engineering, and Security leadership to embed your findings into roadmaps, architecture decisions, and long-term plans. • Operate as someone who sees the whole ecosystem, spots issues early, and helps others navigate with confidence (and just enough healthy paranoia). • Research emerging threats & trends in software supply chain and product security, and analyze their impact on Chainguard’s products and customers. • Design creative mitigations across people, process, and technology not just proof-of-concept demos, but pragmatic defenses that actually get adopted. • Lead large-scale, multi-quarter initiatives that materially reduce risk or improve our security maturity across multiple product lines and platforms. • Partner with executive and senior engineering leadership to drive org-level security strategy, influence key roadmap decisions, and secure buy-in for big, complex changes. • Identify systematic weaknesses (in systems, structures, and sometimes habits) and develop plans that fix root causes in ways that persist long after you’ve moved on to the next hard problem. • Mentor and uplevel others across Product Security and Engineering by helping teams think more strategically about threats, risk, and long-term security posture. • Represent Chainguard externally through talks, conferences, and thought leadership, sharing what we’re learning and helping move the industry forward.

• Own and evolve our vulnerability management program with a focus on application security — container images, dependencies, code scanning, and runtime detection • Build and maintain security tooling that integrates directly into CI/CD pipelines and developer workflows, so security happens automatically rather than as a gate • Use AI extensively to write code faster, automate analyses that would otherwise require manual review, and build intelligent tooling that scales beyond what a small team could achieve manually • Assess and improve how we leverage available telemetry across our systems • Work directly with engineering teams to influence secure development practices — not by writing standards and documents, but by shipping tools and defaults that make the secure path the easy path • Investigate and respond to security findings when needed, but spend more of your time building systems that prevent and detect issues than manually chasing them • Adapt quickly as priorities shift — our team is agile and tomorrow's challenge may look different from today's

• Own and evolve our vulnerability management program with a focus on application security — container images, dependencies, code scanning, and runtime detection • Build and maintain security tooling that integrates directly into CI/CD pipelines and developer workflows, so security happens automatically rather than as a gate • Use AI extensively to write code faster, automate analyses that would otherwise require manual review, and build intelligent tooling that scales beyond what a small team could achieve manually • Assess and improve how we leverage available telemetry across our systems • Work directly with engineering teams to influence secure development practices — not by writing standards and documents, but by shipping tools and defaults that make the secure path the easy path • Investigate and respond to security findings when needed, but spend more of your time building systems that prevent and detect issues than manually chasing them • Adapt quickly as priorities shift — our team is agile and tomorrow's challenge may look different from todays