Staff Security Engineer
Collective · San Francisco, CA · 2 wk ago
HybridInformation TechnologyFull-time
About the role
We're hiring a Staff Security Engineer to own the security of Collective's member platform end to end. This is a senior individual contributor role with broad product-security scope.
What You'll Do
- Own the end-to-end authentication and authorization architecture across Collective's member platform, including session management, role-based access control, and the emerging patterns needed to secure agent-based workflows and service-to-service communication.
- Drive CCPA compliance across the platform, partnering with Legal and Engineering to map data flows, implement required access and deletion controls, and establish ongoing audit and reporting mechanisms.
- Lead threat modeling for new features and platform changes, collaborating with product engineers early in the design process to identify and address risk before it reaches production.
- Define and maintain security standards, policies, and runbooks that give engineering teams clear guardrails without slowing down delivery.
- Respond to and lead post-incident security reviews, driving root-cause analysis and translating findings into durable platform improvements.
- Evaluate and integrate third-party security tooling, staying current on the threat landscape relevant to fintech platforms handling sensitive financial and tax data.
What You'll Bring
- 8+ years of security engineering experience, with depth in application security and a track record of improving security posture on production platforms at scale.
- Strong expertise in authentication and authorization systems (OAuth 2.0, OIDC, SAML, JWT) and the nuances of securing both user-facing sessions and machine-to-machine flows, including AI agent authentication patterns.
- Hands-on experience building or owning SAST/DAST programs and embedding security testing into CI/CD pipelines; familiarity with tools like Semgrep, Snyk, Burp Suite, or equivalent.
- Working knowledge of CCPA (and ideally GDPR) compliance requirements as they apply to a SaaS platform handling personal financial data, including data mapping, subject rights workflows, and audit trails.
- Experience collaborating with Legal and Privacy teams to translate regulatory requirements into concrete engineering controls, not just documentation.
- Product empathy: the ability to hold security rigor and member experience in the same frame, and to make the right tradeoffs with both in mind.
- Familiarity with AI-assisted development workflows and an interest in the security implications of agent-based systems is a strong plus.
What We Offer
- A hybrid work model: based in San Francisco with a balance of in-office and remote flexibility.
- Fresh lunch: provided on in-office days.
- Commuter support: $150 monthly reimbursement for transit expenses.
- Health & wellness: $200 quarterly reimbursement to support your well-being.
- Flexible PTO plus 14 company holidays.
- Comprehensive coverage: 100% medical, dental, and vision for employees; 75% coverage for dependents.
- Parental leave: 16 weeks fully paid.
- Retirement & ownership: 401k plan plus an equity package.
- Team connection: quarterly virtual events and an annual in-person summit.