Trust & Security Engineer
Our pitch is 'connect your whole working life to an agent runtime'. Nobody sane does that without proof we deserve it. You will build that proof: the permission enforcement, the audit trail, the revocation paths, and eventually the compliance program — as engineering, not paperwork.
What you will do
Own runtime permission enforcement — every tool call checked against grants, every denial logged, no prompt-level security theater.
Build the audit log into something customers actually read: complete, queryable, tamper-evident.
Make revocation instant and provable across tokens, sessions, keys, and connectors.
Run our vulnerability disclosure process and be the engineer who answers security questionnaires with real answers.
Lead us through SOC 2 Type II without letting it turn the team into a checkbox factory.
What we need
5+ years in security engineering or in backend engineering with security ownership — you have shipped authz systems, not just reviewed them.
Deep understanding of OAuth 2.0 / OIDC, token lifecycles, and the ways they go wrong.
You can threat-model a new feature in an afternoon and write it up so engineers act on it.
You have handled at least one real incident and know that honesty is the only response that scales.
You write clearly for two audiences: engineers and worried customers.
Nice to have
Experience securing LLM/agent systems — prompt injection, tool-call abuse, data exfiltration paths.
You have taken a company through SOC 2 or ISO 27001 before.
Public security writing, talks, or CVE credits.
Apply — we reply to everyone