Careers

Security Engineer (or Fractional Consultant)

Focus: device auth, data handling, enterprise requirements, and security as “contracts with receipts.”

About the Role

We’re building a measurement platform where trust is the product. Security isn’t a checkbox—it’s part of the same contracts philosophy: explicit guarantees, continuous verification, and auditability.

This role owns (or jump-starts, if fractional) the security foundation across devices, cloud services, and enterprise customer expectations. If you’re fractional early, the goal is to establish the architecture, policies, and guardrails so the team can move fast without building an accidental liability.

What You’ll Do

  • Device identity & authentication: secure onboarding and identity (keys/certs, mTLS), rotation/revocation, and “what device sent this?” traceability.
  • Secure data handling end-to-end: encryption in transit/at rest, secrets management, PII minimization, retention/deletion, and audit coverage.
  • Enterprise security requirements: SSO/SAML/OIDC, RBAC, tenant isolation, audit logs, and security questionnaires.
  • Threat modeling & architecture: device → ingest → storage → API → UI; define mitigations and residual risk.
  • Secure update pipeline: signed builds, SBOMs/supply-chain controls, vulnerability scanning, safe OTA/rollbacks for edge/device software.
  • Access control & least privilege: IAM design, service-to-service auth, segmentation, policy-as-code guardrails.
  • Logging, auditing, incident response: immutable, useful audit logs; IR playbooks; alerting and forensic readiness.
  • Security standards & roadmap: right-sized policies now, with a path toward SOC 2 / ISO expectations when needed.

Concrete Deliverables

  • A device auth blueprint: provisioning flow, key storage strategy, rotation plan, revocation model, telemetry for auth failures.
  • A data handling spec: classification, encryption requirements, retention policy, deletion workflows, audit coverage.
  • A tenant isolation + RBAC model (and review of implementation).
  • A security baseline: secrets management, dependency scanning, vuln management, logging/audit requirements, CI gates.
  • A lightweight enterprise readiness pack: security overview, architecture diagram, FAQ answers, questionnaire response template.
  • If fractional: a 30/60/90 plan with prioritized fixes and quick wins.

Required Qualifications

  • Practical experience securing cloud systems and APIs: authN/authZ, IAM, secrets management, secure logging, encryption.
  • Experience with device/IoT security or adjacent constraints (identity, provisioning, OTA security, intermittent connectivity).
  • Ability to translate enterprise requirements into implementable controls without freezing development.
  • Strong communication: can write clear policies and coach engineers without turning everything into compliance theater.

Preferred Qualifications

  • Experience guiding teams toward SOC 2 Type I/II, ISO 27001, or similar expectations.
  • Familiarity with hardware root of trust, secure elements/TPM, and attestation (where feasible).
  • Experience with multi-tenant SaaS security (tenant isolation, audit logs, SSO).
  • Experience with supply-chain security: artifact signing, SBOM, SLSA concepts, dependency governance.

How You’ll Be Measured (First 60–90 Days)

  • Device identity/auth is no longer ad hoc: provisioning, rotation, and revocation are defined and implemented (or clearly staged).
  • Data handling is explicit and enforceable: encryption, retention, deletion, and audit logging are in place or on a tight plan.
  • Enterprise blockers are removed: RBAC/SSO/audit story is credible and documented.
  • Security posture improves without slowing shipping: clear guardrails, not bureaucracy.

Working Style

  • You assume attackers are creative and customers are picky—and you build a system that can explain itself.
  • You prefer secure-by-default primitives: strong identity, least privilege, immutable audit logs, signed artifacts.
  • You optimize for startup reality: highest risk first, maximum leverage, minimal ceremony.

Title & Engagement

Security Engineer (full-time) or Fractional Security Consultant (early-stage engagement). If fractional, typical shape is: architecture + baseline controls + first enterprise readiness pass, then periodic reviews.

Apply

Send a short note and your resume.

Back to roles

We only use this to respond to your application. No spam.