Security Engineer

Location

Worldwide

Posted

1 day ago

Salary

0

Seniority

Mid Level

Job Description

Security Engineer

CINC Systems

Role Description We are looking for a highly technical Security Engineer with deep experience across application security, AWS cloud security, offensive security, secure SDLC, threat modeling and AI security. This role is suited for someone who can operate at both the engineering and adversarial levels by reviewing architecture, testing applications, identifying exploitable weaknesses, automating security workflows, securing AWS infrastructure and helping product teams build resilient systems. The ideal candidate has hands-on experience with SAST, DAST, SCA, manual application security testing, AWS security reviews, red teaming, SIEM-driven detection workflows, infrastructure-as-code security and security automation. They should be comfortable working directly with engineering teams while also thinking like an attacker to uncover realistic abuse paths across applications, APIs, AWS services, CI/CD pipelines and AI-enabled systems. Key Responsibilities - Lead security reviews for web applications, APIs, microservices, AWS workloads, internal platforms and AI-enabled products. - Perform advanced application security testing using SAST, DAST, SCA, manual code review, API testing and business logic testing. - Identify vulnerabilities across authentication, authorization, session management, access control, injection, SSRF, deserialization, insecure file handling, data exposure and insecure API design. - Conduct threat modeling for new products, critical features, AWS architectures, AI workflows, identity systems and high-risk data flows. - Build and improve secure SDLC processes, including security requirements, code scanning, dependency review, CI/CD security gates and release risk assessments. - Review infrastructure-as-code templates such as Terraform, CloudFormation, AWS CDK, Helm charts and Kubernetes manifests for security misconfigurations. - Assess AWS environments for IAM weaknesses, exposed services, insecure networking, public S3 buckets, secrets leakage, logging gaps, encryption issues, workload risks and privilege escalation paths. - Review AWS IAM policies, roles, trust relationships, permission boundaries, service control policies, identity federation and cross-account access patterns. - Assess AWS services such as EC2, S3, Lambda, ECS, EKS, RDS, API Gateway, CloudFront, WAF, KMS, Secrets Manager, Systems Manager, ECR, VPC, Route 53 and IAM Identity Center. - Conduct red team exercises, adversary simulations, attack path analysis and controlled exploitation to validate real-world risk. - Develop proof-of-concept exploits, custom scripts and automation to reproduce vulnerabilities and demonstrate business impact. - Evaluate containerized and Kubernetes environments, including EKS, for workload isolation, RBAC issues, exposed services, image risks, secrets handling and runtime security gaps. - Assess CI/CD pipelines for insecure workflows, overprivileged tokens, secrets exposure, supply chain risks, artifact integrity and deployment abuse paths. - Perform software composition analysis to identify vulnerable dependencies, license risks, malicious packages, transitive dependency exposure and supply chain weaknesses. - Use SIEM and security telemetry to support investigations, validate attack paths, improve detections and measure control effectiveness. - Build detection logic, threat hunting queries, dashboards and alerting workflows using SIEM platforms such as Splunk, Microsoft Sentinel, Elastic, Chronicle or AWS-native telemetry. - Use AWS security services such as GuardDuty, Security Hub, CloudTrail, AWS Config, Inspector, Detective, Macie, IAM Access Analyzer, Security Lake and CloudWatch to improve visibility and detection coverage. - Automate security workflows using Python, Bash, PowerShell, Go or similar scripting languages. - Develop threat automation for vulnerability enrichment, alert triage, AWS posture checks, attack simulation, evidence collection and remediation tracking. - Partner with DevOps and platform teams to improve secrets management, identity controls, network segmentation, logging, monitoring and secure deployment patterns. - Assess AI and LLM-based systems for risks such as prompt injection, indirect prompt injection, data leakage, insecure tool use, excessive agency, jailbreaks, model abuse, retrieval poisoning and unsafe agent behavior. - Review AI workloads using AWS services such as Amazon Bedrock, SageMaker, Lambda, API Gateway, S3, KMS and IAM for secure design, data protection and access control. - Produce clear technical reports with evidence, exploitability, impact, likelihood, risk rating and actionable remediation guidance. - Mentor engineers and security team members on secure coding, AWS security, offensive testing, threat modeling and AI security risks. Qualifications - Strong hands-on experience in application security, product security, AWS cloud security, offensive security or security engineering. - Deep understanding of secure SDLC practices and experience embedding security into engineering workflows. - Practical experience with SAST, DAST, SCA, manual penetration testing, code review and vulnerability validation. - Strong knowledge of OWASP Top 10, OWASP API Security Top 10, OWASP ASVS, common CWE classes and real-world application attack techniques. - Experience testing web applications, APIs, microservices, cloud services, containers and distributed systems. - Strong understanding of authentication, authorization, identity federation, OAuth, OIDC, SAML, JWT, session security and access control design. - Hands-on experience securing AWS environments in production. - Strong knowledge of AWS IAM, VPC networking, encryption, KMS, Secrets Manager, S3 security, CloudTrail, GuardDuty, Security Hub, AWS Config and workload hardening. - Experience reviewing infrastructure-as-code and identifying security issues in Terraform, CloudFormation, AWS CDK, Kubernetes YAML, Helm, Dockerfiles or similar technologies. - Experience with CI/CD security across tools such as bitbucket pipelines, Jenkins, AWS CodePipeline, or similar platforms. - Experience with red teaming, adversary emulation, penetration testing, exploit development, attack path mapping or offensive security assessments. - Familiarity with SIEM platforms and the ability to write detection or hunting queries using SPL, KQL, SQL, Lucene, YARA, Sigma or similar languages. - Strong scripting ability in Python, Bash, PowerShell, JavaScript or similar languages. - Ability to automate repetitive security tasks and build internal tools that improve security testing, visibility and response. - Familiarity with container and Kubernetes security, including ECS, EKS, RBAC, admission controls, image scanning, runtime controls, network policies and secrets handling. - Ability to review code in languages such as Python, JavaScript, TypeScript, Java, Go, Kotlin, C# or similar. - Strong written and verbal communication skills, with the ability to explain complex technical risks to engineering and leadership teams. Preferred Qualifications - Experience securing AI-enabled applications, LLM products, autonomous agents, RAG pipelines, AI plugins or ML infrastructure. - Experience performing AI red teaming, prompt injection testing, jailbreak testing, model abuse testing or evaluation of agentic workflows. - Experience with AWS Organizations, Control Tower, service control policies, multi-account security patterns and centralized logging. - Experience with threat modeling methodologies such as STRIDE, PASTA, attack trees, abuse cases, data flow diagrams or architecture risk reviews. - Experience with security automation, SOAR workflows, detection-as-code, policy-as-code or cloud security posture automation. - Experience with tools such as Burp Suite Pro, OWASP ZAP, Semgrep, CodeQL, Checkmarx, Fortify, Veracode, Snyk, Dependabot, Trivy, Grype, Syft, Gitleaks, Checkov, tfsec, Prowler, ScoutSuite, Wiz, Prisma Cloud or similar. - Experience building custom security tooling, scanners, exploit harnesses, detection rules, cloud guardrails or CI/CD security integrations. - Experience with MITRE ATT&CK, MITRE ATLAS, CIS Benchmarks, AWS Well-Architected Security Pillar, NIST, ISO 27001, SOC 2, PCI DSS or similar frameworks. - Experience with bug bounty programs, coordinated vulnerability disclosure, internal red team programs or external penetration testing engagements. - Relevant certifications such as OSCP, OSWE, OSEP, GWAPT, AWS Certified Security Specialty, AWS Solutions Architect, CISSP or equivalent practical experience. What Success Looks Like - Security is embedded into design, development, testing and deployment workflows. - SAST, DAST, SCA, secrets scanning, IaC scanning and AWS posture checks are implemented with practical tuning and low operational noise. - High-risk application and AWS vulnerabilities are identified early, validated accurately and remediated with engineering partnership. - Threat models are used to influence architecture decisions before systems reach production. - Red team findings translate into improved controls, stronger detections and reduced attack paths. - SIEM, AWS logs and security telemetry are used to validate security controls and detect realistic abuse scenarios. - Security automation reduces manual review effort and accelerates vulnerability management, investigation and remediation. - AI-enabled systems are reviewed for emerging threats before they are released or scaled. - Engineering teams view security as a technical partner that helps them ship resilient products.

Related Categories

Related Job Pages

More Security Engineer Jobs

Defy Security logo

Enterprise Account Executive – Cybersecurity

Defy Security

Cybersecurity experts who put customers back where they belong: First.

Full TimeRemoteTeam 51-200Since 2017H1B No Sponsor

• Own the enterprise sales cycle — from prospecting and qualification to negotiation and close — across $1B+ revenue organizations • Engage directly with CISOs, CIOs, and CFOs to align cybersecurity investments to enterprise goals • Lead multi-stakeholder deals (6–12 months) in partnership with Solutions Architects, Services, and OEM channel partners • Drive platform adoption — move customers from point products to integrated cybersecurity architectures • Collaborate cross-functionally with Defy’s Services, Engineering, and Partner teams to deliver client success and measurable outcomes • Apply consultative methodologies (e.g., MEDDPICC, Challenger, Command of the Message) to position Defy’s value and differentiation • Consistently exceed quarterly and annual sales goals for bookings, revenue, and gross margin • Represent Defy with executive presence — leading presentations, proposals, and value discussions with boards and senior leaders.

Pennsylvania
$110K - $130K / year
Optum logo

Info Security Engineer - GRC and TPRM

Optum

Optum, part of the UnitedHealth Group family of businesses, is a global organization that delivers care, aided by technology to help millions of people live healthier lives. The work you do with our team will directly improve health outcomes by connecting people with the care, pharmacy benefits, data and resources they need to feel their best. Here, you will find a culture guided by inclusion, talented peers, comprehensive benefits and career development opportunities. Come make an impact on the communities we serve as you help us advance health optimization on a global scale. Join us to start Caring. Connecting. Growing together. At Optum, we support your well-being with an understanding team, extensive benefits and rewarding opportunities. By joining us, you’ll have the resources to drive system transformation while we help you take care of your future. We recognize the power of connection to drive change, improve efficiency and make a difference in health care. Join a team where your skills and ideas can make an impact and where collaboration is key to creating technology that produces healthier outcomes.

Full TimeRemoteTeam 160,000Since 2011

Requisition Number: 2367165 Optum is a global organization that delivers care, aided by technology to help millions of people live healthier lives. The work you do with our team will directly improve health outcomes by connecting people with the care, pharmacy benefits, data and resources they need to feel their best. Here, you will find a culture guided by inclusion, talented peers, comprehensive benefits and career development opportunities. Come make an impact on the communities we serve as you help us advance health optimization on a global scale. Join us to start Caring. Connecting. Growing together. This role is responsible for conducting security risk assessments of vendor-provided solutions within a healthcare environment, focusing on the protection of sensitive health information and organizational systems. This role evaluates vendor controls against frameworks such as NIST SP 800-53 and ensures alignment with HIPAA security requirements, identifying gaps and recommending mitigation strategies. The analyst leverages knowledge of U.S. healthcare technologies (e.g., EHR systems, medical devices) and associated cybersecurity risks to support informed, risk-based decision making. Primary Responsibilities: - Governance, Risk & Compliance (GRC): - Develop and maintain GRC frameworks aligned with organizational goals and regulatory requirements - Perform third party risk assessments with an emphasis on solution-specific assessments, requiring a knowledge of US-based healthcare information technology - Ensure compliance with regulatory requirements for our clients - Monitor information security risks and drive remediation of policy exceptions - Conduct control testing to evaluate maturity and effectiveness of security controls (HIPAA/HITRUST/NIST 800-53) - Work with business stakeholders on defining risk thresholds, implementing risk frameworks, and remediate identified gaps - Stay current on regulatory changes, security trends, and compliance requirements - Create executive summary /reporting for executives - Serves as POC (Point of Contact) in lead's absence - Led and supported GRC platform implementation activities, including tool configuration, workflow customization, process integration, testing, and user support - Third-Party Risk Management (TPRM): - Establish a baseline of vendor risk and identify areas of potential exposure - Design and implement a consistent Vendor Risk Management (VRM) program with an emphasis on vendor solutions, aligned with internal policy and regulatory requirements - Conduct pre-contract due diligence and ongoing vendor solution risk assessments - Develop mitigation plans and partner with internal stakeholders to monitor vendors post-contract - Provide guidance to business units and sourcing teams on VRM requirements - Maintain structured governance for vendor risk and procurement compliance - Continually reassess operational risks and emerging threats related to vendors and vendor supplied solutions - Create executive summaries with recommendations for remediation and risk disposition - Track key vendor related metrics - Worked on Third-Party Risk Management (TPRM) platform implementation projects, including onboarding, configuration, and end-to-end lifecycle management of third-party vendors through the platform - Comply with the terms and conditions of the employment contract, company policies and procedures, and any and all directives (such as, but not limited to, transfer and/or re-assignment to different work locations, change in teams and/or work shifts, policies in regards to flexibility of work benefits and/or work environment, alternative work arrangements, and other decisions that may arise due to the changing business environment). The Company may adopt, vary or rescind these policies and directives in its absolute discretion and without any limitation (implied or otherwise) on its ability to do so Required Qualifications: - Bachelor's degree in information security, Risk Management, or related field (or equivalent experience) - 5+ years of experience in Governance, Risk & Compliance and/or Third-Party Risk Management - Solid understanding of risk management frameworks (HIPAA, HITRUST, NIST 800-53) and regulatory requirements - Proficiency in GRC platforms and vendor risk management tools - Proven excellent analytical skills with ability to interpret large datasets and create actionable reports - Proven solid verbal and written communication skills; ability to present recommendations to senior leadership - Proven ability to work independently and manage complex, less-structured issues Preferred Qualifications: - Experience in developing risk frameworks and dashboards - Exposure to federal/state regulatory compliance requirements - Familiarity with healthcare technologies such HER systems, biomedical devices, SaaS, etc. - Familiarity with procurement processes and vendor governance - Proven ability to act as a point of contact and lead in absence of senior leadership Key Competencies: - Risk Analysis & Assessment - Vendor Risk Management - Regulatory Compliance - Process Improvement - Stakeholder Communication - Problem Solving & Decision Making At UnitedHealth Group, our mission is to help people live healthier lives and make the health system work better for everyone. We believe everyone-of every race, gender, sexuality, age, location and income-deserves the opportunity to live their healthiest life. Today, however, there are still far too many barriers to good health which are disproportionately experienced by people of color, historically marginalized groups and those with lower incomes. We are committed to mitigating our impact on the environment and enabling and delivering equitable care that addresses health disparities and improves health outcomes - an enterprise priority reflected in our mission. Optum is a drug-free workplace. © 2026 Optum Global Solutions (Philippines) Inc. All rights reserved.

Philippines
Full TimeRemoteTeam 501-1,000H1B No Sponsor

• Independently perform all aspects of the security controls assessment in alignment with NIST 800-53 Revision 5 • Ensure comprehensive understanding and application of ATO documentation requirements • Coordinate all aspects of testing with relevant stakeholders and team lead • Develop a security assessment plan with input from stakeholders • Conduct and lead assessment interviews and tests and manage evidence • Provide insightful recommendations to improve security posture

Virginia
AlphaSense logo

Senior Product Marketing Manager, API, Security & Infrastructure

AlphaSense

The market intelligence and search platform trusted by over 3,500 leading organizations

Full TimeRemoteTeam 1,001-5,000Since 2011H1B Sponsor

• Own the technical positioning & messaging for AlphaSense’s platform infrastructure and security posture • Develop compelling narratives that translate complex architectural capabilities into credible, trust-based content for technical buyers • Act as the primary bridge between technical SMEs and GTM teams • Partner with Thought Leadership and Security/Compliance teams to create high-impact technical thought leadership • Partner with the broader marketing team to leverage technical content for organic growth • Partner with Enablement to equip Sales, Support, and App Spec teams with technical enablement • Partner with Competitive Intelligence to contribute to competitive battlecards • Conduct research into technical buyer personas and emerging infrastructure trends • Partner with Solution Marketing to build targeted programs that highlight security and stability • Lead product launches for infrastructure and security-centric releases

New York
$134K - $184K / year