Transforming cities through autonomous technology to create a safer, greener, more accessible world.
Product Cybersecurity Engineer
Location
United States
Posted
2 days ago
Salary
$100K - $155K / year
Seniority
Junior
Job Description
Product Cybersecurity Engineer
May Mobility
• Integrate security practices — threat modeling, architecture reviews into product development workflows from requirements through release. • Provide early security input on hardware, firmware, and software design decisions, including third-party and supply chain risk considerations. • Write, review, and validate security requirements across hardware and software domains; enforce secure coding standards and perform security analysis on main compute systems. • Assist with maintaining Software Bill of Materials (SBOM) and Hardware Bill of Materials (HBOM) using dedicated SBOM tooling to ensure component visibility, vulnerability tracking, and supply chain transparency across products. • Apply security lenses during safety and functional assessments in collaboration with safety, systems, and software teams. • Assist in proactive vulnerability patching and support secure update strategies using product security tooling for threat modeling and risk profiling. • Conduct hazard and threat analyses (TARA/HARA) early in the architecture and development lifecycle. • Analyze and harden the security architecture of vehicle subsystems and autonomous stacks; define system- and product-level security requirements and ensure validation coverage. • Assist senior level engineers with Ethernet, in-vehicle networking, and cloud interface configuration, including port security and network segmentation. • Maintain working knowledge of R155/156, ISO 21434 and UL 4600; support internal audits, risk assessments, and compliance documentation. • Engage with Auto-ISAC to track emerging threats, attack vectors, and industry best practices. • Work across teams such as cybersecurity, hardware, and product engineering — providing architectural security design feedback. • Assist with fostering a security-first culture across the organization through integrated best practices and awareness programs. • Perform additional responsibilities as directed by your manager.
Job Requirements
- B.S. Degree in Computer Science, Computer Engineering, or an equivalent degree
- Minimum of [1-3] years of experience in a product cyber security or related role
- Experience performing threat modeling and attack surface analysis
- Experience generating and managing Software Bills of Materials (SBOMs) using industry tooling, with working knowledge of SBOM formats such as SPDX and CycloneDX
- Familiarity with vehicle communication networks and protocols across physical and application layers (CAN, LIN, Ethernet, DBCs), embedded systems interaction, and module security technologies.
- Familiarity with security-relevant services in ISO 14229-1 (UDS)
- Experience in TARA and HARA methodologies; experience applying UNECE WP.29, ISO/SAE 21434, and security standards.
- Ability to clearly communicate findings and collaborate with engineering teams to drive timely mitigation and remediation.
Benefits
- Comprehensive healthcare suite including medical, dental, vision, life, and disability plans. Domestic partners who have been residing together at least one year are also eligible to participate.
- Health Savings and Flexible Spending Healthcare and Dependent Care Accounts available.
- Rich retirement benefits, including an immediately vested employer safe harbor match.
- Generous paid parental leave as well as a phased return to work.
- Flexible vacation policy in addition to paid company holidays.
- Total Wellness Program providing numerous resources for overall wellbeing.
Related Guides
Related Categories
Related Job Pages
More Security Engineer Jobs
Director of Cybersecurity
Voyager TechnologiesDelivering transformative, mission-critical solutions from ground to space.
• Develop and execute Voyager's cybersecurity strategy, roadmap, governance model, and operating rhythms. • Lead enterprise security programs that protect corporate systems, engineering environments, cloud services, collaboration platforms, and regulated data. • Translate business, program, and government requirements into practical cybersecurity priorities, policies, controls, and investments. • Report security posture, risks, incidents, remediation progress, and strategic needs to the CIO and senior leadership. • Lead security monitoring, alert triage, incident response, forensics coordination, vulnerability management, threat intelligence, and remediation tracking. • Establish incident-response playbooks, tabletop exercises, escalation paths, and communication protocols for security events. • Oversee SIEM, EDR, email protection, vulnerability scanning, identity protection, logging, and related security tooling. • Partner with IT operations and networking teams to reduce attack surface, strengthen endpoint hygiene, and improve detection and response. • Serve as a security architecture leader for application, cloud, identity, network, endpoint, and collaboration initiatives. • Guide secure design for Microsoft 365, GCC High or government-cloud environments, identity platforms, endpoint management, and network segmentation. • Drive risk assessments, control design, exception management, and remediation prioritization across enterprise systems. • Evaluate emerging technologies and security products that improve Voyager's resilience, visibility, and operational effectiveness. • Partner with compliance, legal, contracts, and program teams to support CMMC, NIST SP 800-171, DFARS, ITAR/EAR, CUI, NASA, and DoD security obligations. • Ensure security controls and evidence support audit readiness, government reviews, prime contractor assessments, and proposal requirements. • Support secure handling of controlled unclassified information, export-controlled technical data, and classified-program requirements as applicable. • Coordinate cybersecurity requirements with facility security, program security, and enterprise risk stakeholders. • Build, lead, and develop cybersecurity talent, including internal staff, external partners, and managed security providers. • Manage security vendors, contracts, budgets, licensing, and technology performance. • Communicate clearly with technical teams and executive audiences, including in sensitive or time-critical situations. • Promote a security culture that is practical, mission-aware, and focused on enabling Voyager teams to move quickly and safely.
• Serves as a cybersecurity Subject Matter Expert (SME) with regards to Assessment and Authorization (A&A) of information systems and all associated cybersecurity policies and procedures. • Performs a DOW cybersecurity process while either authorizing an information system or serving as a SME for an information system undergoing authorization. • Possess an understanding of how the security controls identified in the NIST 800-53 apply to the process of assessing and authorizing a large organization’s IT infrastructure such as DLA’s, in which there is a compilation of large and small enclaves, AIS applications and outsourced IT processes. • Determines the applicable severity value for an identified vulnerability (e.g., non-compliant security control), and determines the possible ramifications on the system’s current or future authorization. • Briefs senior management on the progress or results of an information system undergoing the Risk Management Framework (RMF) process.
Sr. Cloud Security Engineer
Inspira FinancialInspira Financial provides health, wealth, retirement, and benefits solutions that strengthen and simplify the health and wealth journey. With more than 7 million clients, representing over $62 billion in assets, Inspira works with thousands of employers, plan sponsors, recordkeepers, TPAs, and other institutional partners — helping the people they care about plan, save, and invest for a brighter future. Inspira relentlessly pursues better outcomes for all with our automatic rollover services, health savings accounts, emergency savings funds, custody services, and more. Learn more at inspirafinancial.com.
Role Description The Sr. Cloud Security Engineer (Sr. CSE) is a hybrid cloud and security engineering role responsible for the hands-on remediation of infrastructure and cloud vulnerabilities, ensuring cloud and infrastructure resources maintain compliance with established policies and Minimum Security Baselines (MSBs), and reporting the organization's current compliance posture. The Sr. CSE will partner with the Security team to define, author, and maintain cloud security policies, keeping pace with evolving industry trends and regulatory requirements. This role will also actively participate in audit activities, including evidence gathering, reporting, and cross-functional collaboration with Compliance, Legal, and IT teams. Duties & Responsibilities: - Vulnerability Remediation & Security Operations - Perform hands-on remediation of infrastructure and cloud vulnerabilities, driving issues to closure within established SLAs and policy requirements. - Operate and administer vulnerability management and cloud security posture management (CSPM/DSPM) tooling - managing scan coverage, remediating findings, and reporting on SLA adherence. - Identify, prioritize, and remediate cloud misconfigurations and security posture gaps across the organization's Azure subscriptions and infrastructure. - Implement and validate security controls across cloud-native services, IaaS, PaaS, and container-based workloads. - Maintain and enforce secure configurations across firewalls, network security components, application delivery infrastructure, and compute platforms in partnership with the Security Team. - Assist with privileged credential hygiene, certificate lifecycle, and secrets governance across the environment when needed. - Support the hardening of Windows and Linux server environments through configuration management and compliance-as-code practices. - Maintain awareness of known and emerging vulnerabilities across the full technology stack - cloud services, OS platforms, network components, and application runtimes. - Compliance, Policy & Reporting - Monitor and report the organization's compliance posture against established security policies, baselines, and regulatory frameworks. - Partner with the Security team to define, author, and maintain cloud and infrastructure security policies - keeping pace with evolving industry trends and regulatory requirements. - Review and update existing policies on a regular cadence to reflect changes in the cloud environment and threat landscape. - Produce accurate, timely compliance posture reports for leadership - covering baseline adherence, vulnerability SLA performance, and remediation progress. - Coordinate and assist in evidence collection and audit maintenance for internal and external organizational assessments, including regulatory audits and third-party risk reviews. - Respond to findings from audits, security questionnaires, and internal/external scanning or penetration testing. - CI/CD Pipeline & Infrastructure Security - Partner with Software Engineering and App Security teams to embed security into CI/CD pipelines and deployment workflows - including secret scanning, least-privilege deployment identities, and secrets management integration. - Review and advise on Infrastructure-as-Code (IaC) implementations from a security perspective, ensuring patterns align with security baselines and organizational standards. - Support secure configuration management across server and cloud environments. - Ensure PKI and certificate management practices are maintained across the environment - including TLS/SSL lifecycle, renewal processes, and certificate inventory. - Technical Leadership & Mentorship - Serve as an informal technical leader and security subject matter expert across Cloud Engineering, Platform Engineering, and adjacent teams. - Mentor engineers on security best practices, secure design patterns, and compliance requirements - elevating security competency across the department without direct people management responsibilities. - Contribute to architecture and design reviews, providing a security lens on cloud platform decisions in partnership with the Cloud Architect. - Cross-Team Collaboration - Cloud Engineering & Platform Engineering - consult on secure architecture, container platform hardening, network segmentation, and pipeline security practices. - Identity & Access Management (IAM) - partner on identity governance, privileged access management, and access control policy enforcement. - Incident Response / Vulnerability Management - collaborate with the Security Detection & Response team on vulnerability prioritization, SLA tracking, remediation coordination, and incident response activities. - Audits & Assessments - provide technical support for evidence gathering, compliance posture reporting, and audit response. - Application Development Teams - consult on security requirements for cloud-native application platforms, ensuring developer environments are built securely from the ground up. Qualifications - 10+ years of experience in cloud engineering, infrastructure, or security engineering - with demonstrated hands-on security work, not just advisory. - Bachelor's Degree in Computer Science, Software/Computing Engineering, Information Security, or related field - or equivalent experience. - Technical certifications preferred: AZ-500, SC-100, SC-200, AZ-104, or equivalent cloud/security certifications. - Experience working in regulated industries (Financial Services, Insurance, or Health-Tech preferred). - Familiarity with compliance frameworks: NIST, HIPAA, PCI and Minimum Security Baselines (MSBs). Requirements - Hands-on experience or significant exposure to the following services and concepts: - Cloud Platform - Azure. - Networking & Security: Virtual Networks (VNETs) and peering, NSGs, UDRs, Private Endpoints, Azure Firewall, Application Gateways (including WAF - OWASP ruleset configuration, Detection vs. Prevention mode), ExpressRoute, VPN Gateways, and Azure Bastion. - Compute & Containers: Virtual Machines, VM Scale Sets, AKS (Kubernetes), and Container App Environments - including cluster hardening, network policy enforcement, workload identity, and Azure Policy for Kubernetes. - Identity & Access: Active Directory (on-prem, hybrid Entra Connect sync), Microsoft Entra ID, Privileged Identity Management (PIM), Conditional Access policy design and enforcement, Azure RBAC (including custom role design), and Entra ID Protection. - Security & Compliance Tooling: Microsoft Sentinel, Microsoft Defender for Cloud (Defender for Containers, Defender for Servers, Defender CSPM), and Azure Policy. - Monitoring & Observability: Azure Monitor - KQL, alert rule configuration, log-based queries, and action group integrations; familiarity with Log Analytics Workspace architecture and log ingestion patterns at scale. - Secrets & Certificates: Azure Key Vault and Key Vault CSI Secrets Store driver for AKS. - Storage & Recovery: Storage Accounts, Backup Vault, and Azure Site Recovery. - Virtual Desktop: Azure Virtual Desktop (AVD). - Security Tooling - Rapid7 - vulnerability management and scanning (InsightVM or InsightIDR); scan configuration, reporting, and SLA tracking. - Wiz and/or Orca Security - CSPM/DSPM platform experience; cloud misconfiguration identification, prioritization, and remediation workflows. - Microsoft Sentinel - SIEM administration, analytics rule management, and data connector configuration; familiarity with security log feeds from edge and email security platforms preferred. - Microsoft Defender for Cloud - Defender plans (Servers, Containers, CSPM), agentless scanning, and security recommendation management. - Datadog - log management, infrastructure monitoring, and security-adjacent alerting. - Identity, Access & Privileged Access Management - Delinea Secret Server (Thycotic) - PAM administration, privileged credential vault management, and access policy configuration. - Active Directory + Entra ID - hybrid identity, Entra Connect sync, group policy (GPO), DNS, and DHCP administration. - Conditional Access, PIM, and RBAC - policy design, enforcement, and least-privilege access models at enterprise scale. - Microsoft Intune - device compliance enforcement as part of a Zero Trust security posture. - Certificate Management - PKI, TLS/SSL lifecycle management, certificate inventory, and renewal processes. - Network & Perimeter Security - Cloudflare (Enterprise) - CDN, WAF, DDoS protection, and DNS proxy configuration and management. - Network routing and VPN - hub-and-spoke topology, route tables, ExpressRoute, and VPN Gateway. - Cisco ASAv - virtual firewall configuration and management. - DNS, DHCP, and Group Policy - enterprise-scale administration in hybrid environments. - DevOps, IaC & Pipeline Security - Azure DevOps (ADO) - CI/CD pipeline security, build agent management, and secure pipeline design. - GitHub / GitLab - source control security, branch protection, secret scanning, and pipeline hardening. - Infrastructure-as-Code (IaC) - Terraform, ARM templates, or Bicep - with a security-first approach to cloud deployments. - CHEF - configuration management and compliance-as-code for server fleet hardening and baseline enforcement. - Endpoint & Server Platforms - Windows Server - administration, hardening, security baseline enforcement, and Group Policy management. - Linux Server - administration, hardening, and security baseline enforcement across enterprise server fleets. - Microsoft 365 Suite - Exchange, SharePoint, Teams, and Intune - security configuration and administration. - Frameworks & Compliance - Familiarity with NIST, HIPAA, and organizational Minimum Security Baselines (MSBs). - Understanding of Zero Trust architecture principles and how they apply across identity, network, and workload security. - Familiarity with PCI-DSS scoped environment security requirements preferred. - Experience operating in regulated industries (Financial Services, Insurance, or Health-Tech). - Experience with or exposure to the following developer runtimes and technologies is a plus, as this role will consult on security posture within environments built on: ASP.NET, .NET, Java (JBoss / Hibernate / JMS), gRPC, Redis, SQL Server.
• Own the SIEM platform end to end, including log source onboarding, correlation rule development, detection tuning, dashboarding, and platform performance and cost management. • Lead the full incident response lifecycle, including triage, containment, eradication, recovery, root cause analysis, and post-incident reporting. • Build and maintain detection content mapped to MITRE ATT&CK; conduct proactive threat hunts across cloud infrastructure, endpoints, identity systems, and network traffic. • Define and enforce SOC processes, including alert triage workflows, escalation paths, on-call procedures, and operational metrics such as mean time to detect and mean time to respond. • Manage ingestion pipelines from cloud audit logs (e.g., AWS CloudTrail), EDR, identity providers, network security platforms, and endpoint management tools into the SIEM. • Operationalize threat intelligence feeds into detection rules, enrichment workflows, and hunting hypotheses. • Develop automation for detection engineering, alert enrichment, and response playbooks to reduce manual analyst workload and speed response time. • Lead in and support tabletop exercises to assess and continuously improve incident response procedures, crisis management, and disaster recovery plans. • Correlate findings across infrastructure, application security, and identity teams during investigations, and drive permanent remediation of identified risks. • Produce technical incident reports and SOC posture reporting that give leadership clear visibility into detection coverage, response performance, and outstanding risk. • Define and enforce detection engineering standards, runbooks, and playbooks used across the security team.




