Principal Offensive Security Engineer

About the Role

We are working with a fast-growing startup at the intersection of SaaS, eCommerce, and health tech — building secure health data platforms and AI-powered tools. Our client is looking for a Principal-level Offensive Security Lead to serve as the primary security domain owner for their complex, hybrid-cloud environment.

This is not an auditing or GRC role. This is a high-autonomy, high-impact position for a technical expert who can personally breach a web application or API and then architect the long-term defense to prevent it.

You will bridge the gap between "breaking" and "building" — leading hands-on penetration testing while simultaneously driving the technical implementation required for SOC 2 and HIPAA compliance. If you are comfortable operating as a solo security lead within a high-growth engineering organization, this is your role.

Level: Senior/Principal IC (Individual Contributor) | Focus: Cloud (AWS/OCI), API Pentesting, & Security Architecture

What You'll Do

• Offensive Ownership: Personally plan and execute end-to-end penetration tests across web applications, APIs, and hybrid-cloud infrastructure (AWS & OCI).
• Security Architecture: Act as a strategic partner to Engineering and DevOps to embed security into CI/CD pipelines, container orchestration, and secrets management.
• Compliance Engineering: Own the technical roadmap and implementation of the security controls required to achieve and maintain SOC 2 and HIPAA certifications — not just check boxes.
• Vulnerability Remediation: Move beyond identifying risks — work directly in the code and infrastructure to guide teams through complex remediation.
• Threat Modeling: Lead deep-dive threat modeling sessions for new products and custom-built health-data systems.
• Domain Leadership: Operate with total independence as the go-to expert for security, managing third-party vendors when necessary but maintaining internal technical mastery.

What We're Looking For

• 8+ years of in-the-trenches experience in Security Engineering or DevSecOps — we are looking for Principal-level independence, not a mid-level analyst.
• Offensive Expertise: Hands-on mastery of manual pentesting and vulnerability discovery across web applications, APIs, cloud infrastructure, and network layers.
• Multi-Cloud Mastery: Deep technical knowledge of AWS and strong preference for OCI (Oracle Cloud); experience hardening hybrid cloud and on-prem footprints.
• Compliance Lead Experience: Personally owned the technical implementation for SOC 2, HIPAA, or ISO 27001 from start to finish.
• Infrastructure Hardening: Proven experience with CI/CD security, Kubernetes/container security, and secrets management.
• Offensive Tooling: Intimately familiar with tools like Burp Suite, Metasploit, or custom scripting for exploitation.
• The Solo Mindset: Ability to define your own roadmap and operate as a technical leader without a pre-defined playbook.
• Strong understanding of Linux, networking, authentication, and automated threat detection.
• Preferred certifications: OSCP, OSCE, or AWS Certified Security – Specialty (hands-on certs valued over theoretical ones).
• Bonus: experience securing ecommerce platforms or health data systems (HIPAA, 21 CFR Part 11).

What We Offer

• A competitive salary and benefits.
• Work from home or anywhere you want (remote position).
• Flexible working hours.
• Opportunity to shape security posture from the ground up at a scaling healthtech company.