Jobs · Engineering · Massachusetts

Staff Security Engineer, PEG Security Engineering (Information Security, Architecture and Engineering)

Tech Economy · Boston, MA · 4 days ago
Engineering$141k–$169k/yrFull-time

About the role

We are proud to be consistently recognized as one of the world’s best places to work. You’ll join our Technology Solutions Group, where you’ll consider the full spectrum of people, tech, and process to help others at Bain achieve their goals. You’ll work across teams as a specialist and trusted partner, embedding security into the development lifecycle.

Responsibilities

  • Own and operate the platform’s security posture end-to-end across core controls: HashiCorp Vault and/or Azure Key Vault, Istio mTLS, Cilium network policy, Pod Security Standards, and OPA/Gatekeeper policies.
  • Design and implement zero-trust security architecture across the estate: defense in depth, least privilege, and explicit security boundary design.
  • Conduct lightweight threat modelling (STRIDE) for new services and major features before implementation; document risks, mitigations, and residual risk decisions.
  • Manage supply chain security controls: container image scanning, image signing, SBOM generation, and dependency vulnerability management.
  • Define and enforce identity and access controls: SAML/OIDC integration patterns, JWT/OAuth concepts, and practical enterprise IdP integration guidance (Okta/Entra).
  • Define and maintain data classification controls and enforce them at the platform layer (governed access patterns, masking/tokenization, and API-layer enforcement).
  • Own runtime detection controls: operate Falco rules and escalation pathways; integrate relevant signals with the central SIEM and reduce alert noise to maintain usable signal.
  • Lead security incident response for the platform; drive containment, remediation, and post-incident security reviews with clear follow-up actions.
  • Run regular security reviews of the AI layer: Agent Gateway egress controls, prompt injection risks, PII handling, and data exfiltration controls for model interactions.
  • Maintain security runbooks and execute quarterly internal security reviews across teams; ensure controls are tested, auditable, and actively maintained.
  • Embed in select PE squad ceremonies (refinement, planning, design reviews) to catch security concerns early and raise testability/operability requirements for security controls.
  • Partner with Platform Engineering on secure-by-default templates and guardrails (policy-as-code libraries, reusable CI checks, pre-commit hooks) to reduce repeated effort across squads.
  • Collaborate with the Data Governance Lead on PII classification, tokenization policy, and regulatory/compliance requirements (SOC 2 Type II, ISO 27001, GDPR).
  • Embed in centralized Application security team to promote secure AI tooling to accelerate threat modelling, security policy drafting, and CVE triage; validate outputs with expert judgement before adoption.
  • Communicate security risks in business-impact terms and prioritize controls that materially reduce risk.

Requirements

  • Bachelor’s degree in Computer Science, Engineering, Information Systems, Cybersecurity, or a related field (or equivalent practical experience).
  • 6+ years of experience in security engineering, infrastructure security, SRE/DevOps with a security focus, or platform engineering roles with hands-on security ownership.
  • Demonstrated experience implementing and operating security controls in Kubernetes-based production environments (policy enforcement, workload isolation, network controls, and runtime detection).
  • Experience designing and operating secrets management and identity/access controls (HashiCorp Vault and/or Azure Key Vault, PKI, OIDC/SAML patterns, enterprise IdP integration).
  • Experience implementing supply chain security practices (scanning, signing, SBOMs, dependency management) and integrating controls into CI/CD pipelines.
  • Experience leading or materially contributing to security incident response, including post-incident review and follow-up remediation planning.
  • Demonstrated ability to work cross-functionally as an enabling partner, raising security standards without blocking delivery unnecessarily.

Qualifications

  • Security engineering/Platform security
  • Zero-trust security architecture: defense in depth, least privilege, and explicit boundary design across services, networks, and data layers.
  • HashiCorp Vault: secret engine configuration, PKI management, dynamic credential generation, audit log analysis, and policy authoring (HCL); familiarity with Azure Key Vault a plus.
  • Kubernetes security: Pod Security Standards, admission controller design, OPA/Gatekeeper policy authoring (Rego), Kyverno policies, and Cilium network policy concepts.
  • Istio security: mTLS in STRICT mode, PeerAuthentication, AuthorizationPolicy, and JWT validation at the mesh layer.
  • Supply chain security: image scanning (Trivy), signing (Cosign/Sigstore), SBOM generation (Syft), and dependency vulnerability management (Dependabot/Renovate).
  • Identity and access: SAML 2.0, OIDC, JWT, OAuth 2.0, and enterprise IdP integration patterns (Okta/Azure AD).
  • Data security: column-level masking, row-level security, PII tokenization/de-identification, classification frameworks, and DLP tooling familiarity (e.g., AWS Macie).
  • Runtime security: Falco rule authoring, syscall-level anomaly detection concepts, and SIEM integration.
  • Scripting/automation: Python and Bash for security tooling, policy-as-code, and automated remediation.
  • Compliance awareness: familiarity with SOC 2 Type II, ISO 27001, and GDPR requirements relevant to PE environments.
  • Generative AI and agentic systems
  • Designs and enforces security controls specific to AI workloads: LLM egress policy, prompt injection mitigation, PII scrubbing before external model calls, and Agent Gateway threat modelling.
  • Uses AI tooling to accelerate threat modelling (STRIDE analysis generation), security policy drafting, and CVE triage; validates outputs before adoption.
  • Integrates AI-assisted security scanning into CI/CD pipelines: automated secret detection, dependency risk scoring, and LLM-assisted static analysis review.
  • Understands the security risks of agentic systems: prompt injection, tool misuse, data exfiltration via LLM output, and hallucination in security-sensitive contexts.
  • Reviews AI-generated infrastructure and policy code for security correctness before it enters the estate.

Skills

  • Generative AI and agentic systems
  • Security engineering/Platform security
  • Zero-trust security architecture: defense in depth, least privilege, and explicit boundary design across services, networks, and data layers.
  • HashiCorp Vault: secret engine configuration, PKI management, dynamic credential generation, audit log analysis, and policy authoring (HCL); familiarity with Azure Key Vault a plus.
  • Kubernetes security: Pod Security Standards, admission controller design, OPA/Gatekeeper policy authoring (Rego), Kyverno policies, and Cilium network policy concepts.
  • Istio security: mTLS in STRICT mode, PeerAuthentication, AuthorizationPolicy, and JWT validation at the mesh layer.
  • Supply chain security: image scanning (Trivy), signing (Cosign/Sigstore), SBOM generation (Syft), and dependency vulnerability management (Dependabot/Renovate).
  • Identity and access: SAML 2.0, OIDC, JWT, OAuth 2.0, and enterprise IdP integration patterns (Okta/Azure AD).
  • Data security: column-level masking, row-level security, PII tokenization/de-identification, classification frameworks, and DLP tooling familiarity (e.g., AWS Macie).
  • Runtime security: Falco rule authoring, syscall-level anomaly detection concepts, and SIEM integration.
  • Scripting/automation: Python and Bash for security tooling, policy-as-code, and automated remediation.
  • Compliance awareness: familiarity with SOC 2 Type II, ISO 27001, and GDPR requirements relevant to PE environments.

Benefits

Bain & Company offers a comprehensive benefits and wellness program designed to help employees achieve personal independence, protection, and stability in the areas most important to them and their families. Employees receive full premium coverage for medical, dental, and vision programs, generous paid time off, and more. The role also includes an annual discretionary performance bonus, 401(k) plan with employer contribution, and a best-in-class benefits package.

Pay

The estimated annualized compensation for this role varies based on location and factors such as experience, education, training, and skill level. In Chicago, IL, the good-faith, reasonable annualized full-time salary range for this role is between $141,000 - $169,250; in Boston, MA, it is between $147,250 - $176,750.

Schedule

This role follows a hybrid model, requiring in-office presence at least 1 day per week.

Similar jobs