This description is a summary of our understanding of the job description. Click on 'Apply' button to find out more. Role Description Charlie Health is seeking an experienced Lead Security Engineer to join our Information Security team. In this role, you will partner closely with engineering and product teams to embed secure development practices across the entire software development lifecycle (SDLC). You will be the subject matter expert on application and cloud infrastructure security, guiding the business in building secure, scalable and HIPAA-compliant software solutions. Responsibilities - Lead application security program including SAST/DAST integration, security code reviews and developer training. - Perform threat modeling and architecture reviews to identify potential security risks early in design phases. - Integrate security tooling and automate security processes into CI/CD and DevOps pipelines. - Manage application and cloud security vulnerability management program including configuration of scanning tools, validation and prioritization of findings, and remediation of risks. - Review and document new third-party integrations with Charlie Health applications and cloud infrastructure. - Perform internal penetration testing and manage third-party penetration tests. - Work with teams to build and enforce secure SDLC controls in a fast-paced agile environment. - Develop cloud security configuration baselines and monitor for gaps. - Document business continuity and disaster recovery procedures for cloud infrastructure environment. - Participate in security incident response activities related to Charlie Health applications and infrastructure systems. - Help define metrics and KPIs that demonstrate the effectiveness of the application and cloud security programs. Qualifications - 10+ years of experience in application security, secure software development, cloud security or related roles. - Bachelor’s degree in Computer Science or related field, or equivalent experience. - Proficiency in secure coding practices and languages such as Typescript, Node, Python, Java, C++ or similar. - Hands-on experience with application security tools (e.g., Burp Suite, OWASP ZAP, Fiddler). - Knowledge of container security concepts, including container image scanning, secure image pipelines, and common misconfigurations in containerized environments. - Deep understanding of web application vulnerabilities: XSS, CSRF, SQLi, session management, etc. - Experience implementing security in CI/CD pipelines such as GitHub Action and agile development workflows. - Familiarity with AWS cloud platform and AWS security best practices. - Familiarity with management and deployment of SAST, DAST, and SCA tooling. - Knowledge of authentication technologies (i.e. Auth0, Okta, etc) and how to securely integrate them with applications. - Strong communication skills with ability to clearly articulate risk to technical and non-technical audiences. Preferred Qualifications - Experience with HIPAA and securing applications in healthcare, or other regulated, environments. - OSCP, OSWE, AWS Security or other relevant security certifications. - Experience securing custom software collaboratively on a team. - Experience with Wiz or similar CNAPP tools. - Knowledge of AI/ML security best practices. - Familiarity with Infrastructure as Code (IaC). - Knowledge of security standards such as SOC2, ISO 27001/2, NIST 800-53, HITRUST, or HIPAA Security Rule. Benefits - Comprehensive benefits for all full-time, exempt employees. - Total target base compensation between $180,000 and $240,000 per year. - Cash compensation may include stock options and other Charlie Health-sponsored benefits.

• Lead end-to-end red team operations aligned to priority threat actors: scenario design, ROE, pre-briefs, execution, and hot-wash/AAR • Support purple-team engagements with DFIR/SOC and Detection Engineering to convert TTPs into durable detections, runbooks, and response improvements with measurable outcomes • Orchestrate assumed-breach campaigns emphasizing evasion and control bypass (EDR/AV, email/web security, identity/conditional access, network segmentation, cloud guardrails) • Perform campaign/TTP research, develop internal PoCs/tooling (e.g., tradecraft to exercise specific controls, lightweight payloads), and steward OPSEC • Produce executive-ready risk narratives and technical reporting (ATT&CK mapping, artifacts, evidence handling) and brief senior leadership • Mentor junior engineers; set standards for craft quality, methodology, and safety • Coordinate multi-party/third-party exercises; manage risk, deconflict with production, and ensure stakeholder alignment • Contribute to operational expansion by researching, prototyping, and developing novel capabilities for offensive use • Contribute to program maturity: metrics/KPIs, roadmap, methodology standardization, control validation cadence, and integration with vulnerability management

• Conduct monthly reviews of Tenable and SteelCloud STIG reports • Analyze STIG data to remediation actions and identify responsible parties to conduct those actions • Document comprehensive action plans for identified STIGs • Develop and maintain custom STIG reports tailored for individual Air Force bases • Provide specific, actionable feedback to Air Force bases and leadership on how to remediate STIGs they are responsible for • Work closely with base IT teams, Enterprise security teams, and other stakeholders to ensure effective STIG management • Stay current with the latest STIG trends, threat intelligence, and best practices in STIG management

• Lead the design and implementation of SAP Security across S/4HANA, Fiori, and the SAP NS2 Private Cloud Edition landscape. • Develop the SAP security architecture and ensure alignment with DoD cybersecurity, RMF, STIGs, and NIST 800-53 controls. • Own the identity and access management strategy, including business role design, authorization concepts, and user provisioning processes. • Lead implementation and ongoing use of SAP GRC Access Control (ARA, EAM, BRM, ARM). • Define and maintain USTRANSCOM-specific Segregation of Duties (SoD) rulesets and automated risk analyses. • Coordinate with SAP NS2 teams to support secure operations, boundary protections, patching, and compliance requirements. • Support security readiness activities, compliance assessments, vulnerability mitigation, and ATO documentation. • Guide security design through project phases including blueprinting, build, testing, cutover, deployment, and sustainment. • Provide consultative guidance on SAP Security and GRC best practices to internal teams and government stakeholders. • Manage and mentor SAP security analysts supporting daily operations and project delivery. • Work on Application Security, Compliance, and Delivery in the areas of SAP S/4HANA Security and GRC implementation.