Staff Security Engineer, Product Security
Seattle OfficeFull-TimeStaffSoftware Engineering
Responsibilities:
- Drive and scale secure-by-design practices across product and engineering teams, integrating security into design, development, CI/CD, and release workflows.
- Lead security design and architecture reviews for major product initiatives; define security requirements, controls, and patterns that teams can adopt consistently.
- Own and evolve threat modeling practices, ensuring risks are systematically identified early and mitigations are validated.
- Perform deep technical assessments (manual code review, targeted security testing, validation of fixes) for high-impact findings and critical services.
- Identify and reduce classes of vulnerabilities across Aircall’s codebases and services (e.g., auth/authz flaws, injection, logic issues, SSRF, API security, cloud misconfigurations).
- Build and improve security tooling and automation that scales across engineering (e.g., guardrails, CI checks, policy-as-code, leveraging AI for autonomous security-review processes that don’t slow delivery).
- Triage and drive remediation of vulnerabilities discovered through internal testing, automated detection, and external reports (including coordinated disclosure where applicable).
- Investigate and respond to product security incidents, helping with containment, root cause analysis, and prevention. Participate in on-call/threat-response rotations, escalating and coordinating during high-severity events.
- Stay up to date on attacker techniques (MITRE ATT&CK, red team reports, threat intel) and propose new detection patterns or responses accordingly.
- Serve as a trusted advisor to engineering and product leadership, translating security risks into pragmatic, prioritized actions and tradeoffs.
- Own cross-team product security initiatives (e.g., secure SDLC improvements, secure design frameworks, security champions, org-wide security patterns and standards).
- Mentor and up-level engineers across security and product teams through reviews, pairing, coaching, and security education.
Should have:
- 8+ years of relevant experience in Product Security / Application Security / Secure Software Engineering (or equivalent).
- Proven track record of leading product security work across multiple teams and influencing architecture and SDLC maturity at scale.
- Strong foundation in secure design, threat modeling, vulnerability discovery, and remediation strategies.
- Proficient with one or more of Programming languages ( Python/Java/JavaScript) and ability to read code to identify security defects.
- Knowledge of common vulnerability classes and modern application risks (OWASP Top 10, API security, identity/auth patterns, cloud-native risk).
- Experience designing or contributing to scalable, automated security review or decision-support workflows, including the use of AI-assisted systems to improve consistency, speed, or coverage.
- Familiarity with cloud-native infrastructure security (AWS/GCP/Azure + Kubernetes) and service-to-service security patterns
- High degree of autonomy, initiative, and ownership; ability to drive entire initiatives with minimal oversight.
- Strong communication skills and ability to drive alignment across engineering/product partners.
Bonus / Nice-to-have:
- Experience building proof-of-concepts/exploits or doing deep-dive vulnerability research.
- Experience applying AI/LLM techniques to improve internal security tooling, automate security workflows, or enhance security signal quality (e.g., structured reviews, correlation, prioritization, or validation).
- Experience with bug bounty / vulnerability disclosure programs and working with external security researchers.
- Security certifications (OSCP, GWEB, CISSP) or demonstrated equivalent expertise.
- Contributions to open-source security tools, libraries, or security research.
