Founding Security Enginee
Are you ready to build the security foundation for a mission-driven company at the forefront of GovTech innovation?
At Promise, we're not just building technology; we're transforming public systems to work better for everyone, especially the most vulnerable. We empower government agencies and utilities to deliver critical services with dignity, making it simple for residents to receive benefits, engage with assistance programs, and manage payments. Our mission is clear: to increase efficiency, recover revenue, and ensure access for those who need it most.
You'll be part of an elite team of experts from industry giants like Palantir, Google, and Stripe, alongside esteemed government leaders. We're a group driven by a shared passion for our mission and a commitment to building innovative, resilient technology that makes a real-world impact.
Backed by over $50 million in funding from leading investors such as Reid Hoffman, Howard Schultz, Michael Seibel, Y Combinator, and First Round Capital, Promise has earned recognition as one of Fast Company's "World's Most Innovative Companies of 2022," a "Forbes Next Billion-Dollar Startup 2024," and Y Combinator’s #1 GovTech startup.
About the Role
As our first dedicated Founding Security Engineer, you won't just inherit a security program – you'll build it from the ground up. This is a unique opportunity for a security generalist to define strategic direction, implement impactful solutions, and elevate our entire security posture across all facets of our platform.
Our security philosophy is centered on enablement – empowering Promise and its clients through robust security, deeply integrated into every solution we deliver. You'll collaborate closely, embedding security as a core outcome, not a blocker.
What You'll Do
Architect and Implement Core Security Systems: Design, implement, and operate advanced detection and response mechanisms, leveraging Python-based rules to identify and mitigate anomalous activity, drastically improving our signal-to-noise ratio.
Strengthen Cloud & Infrastructure Security: Drive the enhancement of our cloud security posture, partnering with the Infrastructure team to harden our GCP environment, optimize cloud networking, and elevate Kubernetes security.
Secure Our Applications & SDLC: Lead application security initiatives, implementing pragmatic upgrades for frameworks like Next.js and managing dependencies to reduce risk.
Automate Security into Everything: Embed security directly into our development lifecycle through robust code and automation – developing guardrails, integrating security checks, and streamlining remediation workflows.
Own Vulnerability Management: Take full ownership of our vulnerability management program, from proactive identification and prioritization to driving fixes to closure in close coordination with codeowners.
Cultivate a Security-First Culture: Act as a trusted security partner, collaborating closely with engineering teams on secure product design and technical implementation from conception to deployment. Champion a strong security culture across the company through clear guidance, engaging training, and fostering a collaborative, security-aware mindset.
Innovate & Strategize for Emerging Threats: Pioneer the development of technical and policy frameworks to guide the secure and ambitious adoption of AI technologies company-wide.
What We're Looking Fo
Proven Security Leadership: 5-8 years of progressive experience in cybersecurity, with a significant portion dedicated to hands-on security engineering and architecture.
Deep Cloud Expertise: Exceptional understanding of cloud security principles and networking, with a strong preference for Google Cloud Platform (GCP) experience.
Coding & Automation Prowess: Proficiency in reading code, developing secure solutions, and shipping fixes. Strong Python scripting skills are essential for automation and tool development.
Tooling & Operations Mastery: Hands-on experience operating and optimizing a diverse set of security tools, including Endpoint Detection and Response (EDR), Mobile Device Management (MDM), comprehensive audit logging and alerting systems, and Cloud Security Posture Management (CSPM).
DevSecOps Champion: Solid foundational knowledge of GitHub, Terraform, and critical CI/CD security practices.
Enabling Innovator: A proactive mindset with a genuine desire to enable rapid innovation and development, rather than impede it, by embedding security seamlessly.
Bonus Points If You Have
Experience with Web Application Firewalls (WAFs) and advanced web application security controls.
Demonstrated threat modeling expertise to proactively identify and mitigate risks.
Deep-level Kubernetes hardening and runtime security experience.
Promise is an equal opportunity employer and does not discriminate against any applicant or employee because of race, color, religion, sex, sexual orientation, gender identity, national origin, disability, genetic information, age, or military or veteran status. Additionally, the Company complies with applicable state and local laws governing non-discrimination in employment in every jurisdiction in which it operates. Promise is committed to promoting diversity and inclusion in the workplace. We also provide reasonable accommodations to qualified individuals with disabilities, pregnant individuals, and those with sincerely held religious beliefs, in accordance with applicable laws.
Promise engages in US government contracts and restricts hiring to US persons, which includes US citizens and permanent residents (e.g., Green Card holders). Additionally, candidates must reside in the US.