Back to Job Board

Security Engineer

Remote, USA
Posted Jun 14, 2026
Full-time

THE ROLE
This is Flox’s first dedicated security hire. You’ll work directly with engineering leadership to stand up security practices that are pragmatic, developer-friendly, and right-sized for a company at our stage. The role is heavily weighted toward doing—you’ll be the one deploying tools, configuring controls, hardening infrastructure, and closing gaps, not just advising others to do so.

That said, you’ll have real input into how we think about controls, priorities, and our security roadmap as we grow. And because our product sits at the heart of the software supply chain—managing dependencies, environments, and build artifacts for some of the world’s largest engineering teams—security isn’t peripheral here. It’s core to the value we deliver.

If you want to build something from scratch, own it end-to-end, and have your work matter immediately, this is that job. If you want a large team, an existing program to slot into, or mostly governance work, it probably isn’t.

WHAT YOU’LL DO
Detection, Monitoring & Response
Help evaluate whether to stand up an internal SIEM or work with an outsourced SOC provider—then implement whichever path makes sense for where we are as a company. If building internally: deploy and configure the SIEM, write and tune detection rules, and own the alerting stack. If outsourcing: manage the SOC relationship, define what gets escalated and how, and ensure we’re getting signal not just noise

Build incident response runbooks and triage workflows—then actually test them (e.g. test backups in case needed for ransomware recovery)

Be the person who sees something and does something about it

Cloud & Infrastructure Security (AWS + Cloudflare)
Scan and harden our AWS posture hands-on: IAM policies, SCPs, security group hygiene, GuardDuty, Security Hub, and automated compliance guardrails need to be evaluated and maintained

Own Cloudflare configuration across WAF rules, DDoS protection, bot management, Zero Trust access, and DLP policies—keeping rules current and tuned as the product evolves

Implement IaC security scanning (Checkov, tfsec, or similar) directly into CI/CD pipelines

Own CSPM tooling—configure it, triage it, fix things, don’t just generate reports

Endpoint Protection
Deploy and manage endpoint protection across developer systems and production endpoints—covering EDR, device posture, behavior monitoring (including dynamic scans), DLP, and threat detection

Ensure developer machines (Mac-heavy environment typical of engineering teams) meet baseline security standards while minimizing friction that slows people down. Understand when and where detective controls suffice vs preventative controls based on thoughtful risk management and defense in depth

Define and enforce endpoint compliance policies, including disk encryption, patch posture, and application controls

Work with engineering to extend endpoint visibility into production infrastructure where applicable

Software Supply Chain
Secure our build and release pipelines

Consider SLSA framework adoption and supply chain integrity attestations for our catalog and environments

Stand up dependency vulnerability scanning and own the remediation workflow end-to-end for third-party services, libraries, middleware, operating systems, and SaaS

Application Security
Integrate SAST and SCA tooling (Semgrep, Snyk, GitHub Advanced Security) into developer workflows

Participate in security design reviews and threat modeling for new features

Work shoulder-to-shoulder with developers to find and fix vulnerabilities using a risk-based model instead of just vulnerability aging reports

Identity, Access & Entitlements
This is a priority area—but implemented right for a company at our size, not over-engineered for a company ten times larger.
Audit and rationalize IAM across AWS, Cloudflare, SaaS applications, and internal tooling; implement the fixes, not just the findings

Drive SSO consolidation, enforce MFA universally, and implement least-privilege access in practice, not just policy

Build a lightweight, repeatable access review process—something that actually runs on a cadence and produces real decisions

Own joiner/mover/leaver processes so that entitlements stay clean as the team grows

Evaluate and implement an appropriate identity governance solution for our stage—not an enterprise IGA platform, but something that gives us control and auditability

WHAT WE’RE LOOKING FOR
3–5 years of hands-on security engineering experience, ideally at a software company or cloud-native environment

A demonstrable track record of implementing security tools and controls, not just scoping or recommending them

Solid working knowledge of AWS security services: IAM, SCPs, GuardDuty, Security Hub, CloudTrail, and related tooling

Hands-on experience with Cloudflare—WAF rule management, Zero Trust, DLP, or similar; comfort learning what you haven’t used yet

Experience deploying and managing endpoint protection (EDR/MDM) across a mixed developer and production environment

Familiarity with software supply chain concepts: SBOMs, dependency management, artifact signing, SLSA

Experience integrating SAST, SCA, or DAST tools into CI/CD pipelines

Comfort with scripting or light automation (Python, Bash, or similar) to build repeatable processes

Ability to work independently, ruthlessly prioritize, and operate without a playbook

The kind of person who is bothered when something is insecure and doesn’t wait for someone else to fix it

NICE TO HAVE
Familiarity with Nix, package management, or reproducible build systems

Experience evaluating or managing an outsourced SOC relationship

Prior SIEM deployment or detection engineering experience

Experience supporting a SOC 2 or ISO 27001 audit

Security certifications (CISSP, OSCP, AWS Security Specialty, etc.)

WHY FLOX
First dedicated security hire—you’ll build the program, not inherit someone else’s backlog

A product developers genuinely love, which makes working with the engineering team easier

Small team, short feedback loops, real ownership—your work will be visible immediately

Competitive salary, meaningful equity in a well-funded company, and a flexible hybrid environment

Apply Now

More Remote Jobs

AI Engineer
Remote, USA
Full-time
New Grad — Customer Success and Onboarding Manager
Remote, USA
Full-time
Inbound Account Executive
Remote, USA
Full-time
Japanese-speaking community manager
Remote, USA
Full-time
Payroll Associate | Luxembourg
Remote, USA
Full-time
Senior Operations Associate - Machine Learning
Remote, USA
Full-time
Lifecycle Marketing Manager
Remote, USA
Full-time
Marketing Automations Engineer
Remote, USA
Full-time
Account Executive (CA)
Remote, USA
Full-time
English Composition Instructor
Remote, USA
Full-time
Hiring Now: Technical Consultant, APAC
Remote, USA
Full-time
(Entry Level / No Experience) Remote Delta Airlines Careers From Home
Remote, USA
Full-time
Transaction Coordinator (Specific to Wisconsin)
Remote, USA
Full-time
Collections Representative (PST)
Remote, USA
Full-time
**Experienced Customer Success Manager – Delivering Exceptional Service Excellence for Strategic Customers at blithequark**
Remote, USA
Full-time
Indirect Tax Accountant job at Ingersoll Rand in Davidson, NC
Remote, USA
Full-time
Rental Sales Agent
Remote, USA
Full-time
Field Engineer/Technical Sales - Operations & Maintenance (Oil &Gas)
Remote, USA
Full-time
Production Supervisor
Remote, USA
Full-time
Principal Scientist, Process Chemistry
Remote, USA
Full-time