Security Engineer

We're hiring a Software Engineer (Security) to own security at Padlet - across our application, network, and infrastructure layers, along with the compliance programs that wrap around them.

You'll design and implement defences in the product, harden our network and cloud posture, drive our SOC 2 program through a compliance automation platform, and run incident response when things get noisy. The work is broad by design: we'd rather have one engineer with real ownership across the stack than split the function into pieces that never quite add up.

We expect this person to use AI heavily - coding agents like Claude Code, LLM-powered audit tools, and custom skills/agents - to punch well above the weight of a single headcount. Reviewing code for vulnerabilities, drafting and updating policies, triaging findings, preparing audit evidence, and scanning dependencies are all things we expect you to accelerate with AI rather than do by hand.

You'll be embedded with engineering, close enough to the code to know what's realistic and what isn't.

What you'll do

• Own application security. Design and implement controls in the product - auth hardening, rate limiting, bot mitigation, signup abuse prevention, injection and CSRF defenses, secrets management, supply chain hygiene.

• Own network and infrastructure security. Set WAF rules, TLS posture, network segmentation, DDoS mitigation, cloud IAM, and key management. Partner with infrastructure engineers where the work overlaps and drive it to done.

• Own compliance. Run our compliance program through a compliance automation platform - control mapping, evidence collection, policy drafting and updates, auditor questions. Drive adjacent frameworks (GDPR, regional data protection) as we expand into new markets.

• Use AI to audit and improve code. Lean on Claude Code, AI-powered SAST tools, and custom agents to scan our codebase for vulnerabilities, review PRs for security issues, draft fixes, and keep dependencies healthy. Build lightweight internal tooling (skills, scripts, agents) when off-the-shelf options don't cut it.

• Run incident response and remediation. Triage findings from pen tests, bug bounty reports, and third-party audits. Coordinate responders during live incidents. Run post-mortems so fixes actually stick.

• Run the security awareness program. Organize training, tabletop exercises, and internal communications that keep security top-of-mind for engineers and the broader team.

What we're looking for

• You're a working engineer. You've spent meaningful time building and shipping software, ideally at a company operating at scale. You read and write code daily, you're comfortable in a real codebase, and you can hold your own in architecture and design discussions.

• Security fluency. Working knowledge across application security (OWASP Top 10 and beyond), network security (TLS, DNS, CDNs, WAFs, firewall rules), and infrastructure security (cloud IAM, secrets, container and supply chain security). You've implemented or helped implement real defenses in at least a couple of these areas.

• AI-native working style. You already use AI tools heavily in your day-to-day work - whether that's Claude Code, Cursor, Copilot, or similar - and you have strong instincts for when AI speeds things up and when it's a liability. You're comfortable writing prompts, building small agents or skills, and reviewing AI output critically (especially for security-sensitive code). If your current workflow doesn't involve AI, this role isn't a fit.

• Compliance experience. You've been through at least one recognized compliance audit (SOC 2, ISO 27001, or similar) and understand what controls look like in practice, not just on paper. Hands-on experience with a compliance automation platform is a strong plus.

• Pragmatism with complexity. You enjoy digging into how systems actually work, and you're thoughtful about the tradeoffs security controls impose - latency, friction, engineering cost, product performance. You can tell the difference between a theoretical risk and an exploitable one, and you know when a defense is worth the cost and when a lighter-touch approach gets most of the benefit without slowing the product down.

• Clear communication. You can translate between engineers, auditors, and non-technical stakeholders. You write status updates people actually read.

Nice to have

• Experience defending a consumer product against abuse at scale (spam, scraping, account fraud, content abuse)

• Familiarity with Cloudflare (Turnstile, WAF, Workers), GCP security tooling, or comparable cloud stacks

• Background in threat modeling, red team exercises, or offensive security research

• Prior work in edtech, fintech, healthtech, or another regulated/sensitive domain

• Experience building a security awareness program that engineers actually pay attention to

Why this role

At most companies, security is split across a handful of people who each own a sliver - and the gaps between those slivers are where real problems live. This role is the opposite: one engineer who owns the full picture, from the product code to the network edge to the audit deliverable. You'll have the scope to actually move things, the AI tooling to move them faster, and the support of an engineering team that takes security seriously.