Obsidian Security
Principal Product Security Engineer – Office of the CISO
Obsidian Security, Palo Alto, California, United States, 94306
Overview
Founded in 2017, Obsidian Security was created to close a critical gap: securing the SaaS applications where modern business happens—platforms like Microsoft 365, Salesforce, and hundreds more. We’ve built a complete SaaS security platform to reduce risk, detect and respond to threats, and prevent breaches at the source. Our team includes leaders who helped define the categories of endpoint and identity security at CrowdStrike, Okta, Cylance, and Carbon Black. We’re transforming how SaaS is secured—in the era of agentic AI. Today, Obsidian is trusted by global enterprises and protects organizations across North America, Europe, the Middle East, Southeast Asia, Australia, and New Zealand. We are scaling quickly toward long-term growth and IPO readiness. Join us as we define the future of SaaS security.
Position Overview:
We’re looking for a Principal Product Security Engineer to join our team and lead our product security to the next level and beyond. The ideal candidate is a senior, highly technical, passionate, team-oriented professional with a proven track record of excellence in technical product security engineering, leadership, and execution. This role will be instrumental in shaping how security is integrated throughout the Obsidian SaaS product, hosting environments, and related services.
The ideal candidate must be mission and values-driven, have an ownership mentality, and place the well-being of customers, teammates, and the organization at the forefront. This role thrives in a dynamic, high-growth startup environment within an established Cybersecurity, GRC, and IT team and programs. This is a critical, high-impact role that will serve as a catalyst for growth for an experienced cybersecurity professional.
The Principal Product Security Engineer reports to the Chief Information Security Officer and will be responsible for developing, implementing, optimizing, scaling, automating, and operating the Obsidian product security program. The role works closely with Engineering, Product, DevOps, GRC, and IT to support the company’s product security needs. Candidates should be highly technical team leaders with exceptional secure software engineering, automation, and application and infrastructure security experience, capable of implementing and operating application security, infrastructure protection, threat detection, and incident response capabilities in a modern tech stack. This is a multi-faceted role in a fast-moving startup and requires ownership mentality, sound judgment, personal responsibility, and initiative.
Your Responsibilities Will Include
Security Architecture and Technical Leadership
— Provide technical leadership and guidance for the Security Team, mentor junior security engineers.
Mentor engineers on secure design and coding practices, and influence cross-functional teams through technical thought leadership.
Ensure that the Product Security Program is defined and documented to include technical runbooks, standards, procedures, and continuity documentation.
Lead and drive scalable security design reviews for existing and new features and services.
Define and maintain secure and private-by-design development patterns, architectural and operational best practices.
Lead security architecture reviews, threat modeling sessions, and secure coding workshops.
Help scale security knowledge across the organization through training and documentation.
Support escalations in customer and prospect security reviews and due diligence.
Secure SDLC & Code Review and Testing
— Mature and integrate scalable security into the SDLC.
Provide deep technical reviews for high-risk areas in backend and frontend codebases and services.
Ensure security testing is properly configured and deployed in code projects and CI/CD pipelines.
Ensure that testing and review outputs are properly documented, prioritized, and completed.
Automate fuzzing, SAST/DAST, SBOM generation, and third-party dependency scanning.
Facilitate and evolve scalable threat modeling processes across SDLC.
Anticipate and address new attack surfaces as the product evolves.
Cloud Security & Infrastructure Hardening
— Partner with DevSecOps, DevOps, SRE, and Platform Engineering to improve the security of cloud environments, Kubernetes, data pipelines, CI/CD pipelines, and related resources.
Drive zero-trust principles in service-to-service communication and access controls.
Drive security maturity in critical Obsidian product resources such as secrets management systems, databases, and data pipelines.
Mature Infrastructure as Code (IaC) and related security tooling and practices.
Ensure that security tooling is properly configured and implemented to the maximum potential.
Monitor security tooling for security events.
Ensure that the most important security metrics are collected and properly made visible via dashboards and reporting.
Incident Response & Threat and Vulnerability Management
— Act as a key technical lead in security incident response and after-action reviews. Prioritize, assess, and drive remediation of product and infrastructure vulnerabilities.
Create automation workflows for security incident detection and response across environments.
Support product penetration testing and corporate red teaming exercises.
What We’re Looking For
A person who is excited about working at an industry-leading cybersecurity startup company with enterprise security needs.
At least 10 years of Product Security experience in a cloud-native environment, with a preference towards experience in the cybersecurity industry.
Proficient in software engineering with emphasis on Python.
Proficient in Terraform Infrastructure-as-Code.
Proficient in securing Kubernetes.
Proficient in securing AWS and GCP environments.
Proficient in securing the GitLab platform.
Proficient in security automation.
Proficient in security metrics collection and reporting.
Strong understanding of multiple security domains such as application security, protection, detection, response, vulnerability management, or threat intelligence.
Be obsessive about security while supporting the overall mission.
Experience with modern IT systems such as Google Workspace, Microsoft 365, Slack, Notion, Jira, GitLab.
Experience working with multiple internal and external stakeholders during incident lifecycles.
Experience communicating across a company to educate on best practices, standards, and policies.
What We Can Do For You
Be part of a team-first, low-ego, mission-focused culture.
Provide opportunities for professional development.
Provide opportunities to make high-impact contributions to security.
Influence the Obsidian product development.
Annual conference attendance budget.
Competitive salary, equity, and health benefits.
Opportunity to publish research, share non-proprietary code, and present at conferences.
Reserve your seat on our rocket ship! We are funded by Greylock Partners, Google Ventures, Menlo Ventures, WingVC, Norwest Venture Partners, and are growing fast.
This role is a game-changer and is about securing our company and product as we provide cutting-edge capabilities to help organizations increase their security.
Employee Benefits
Our competitive benefits packages are designed to support our employees’ well-being, both at work and at home. Our US based employees enjoy:
Competitive compensation with equity and 401k
Comprehensive healthcare with dental and vision coverage
Flexible paid time off and paid holiday time off
12 weeks of new parent or family leave
Personal and professional development resources
For more details on our US benefits, or for information on our international benefits, please see here.
Pay Transparency
Please note that the base pay range is a guideline and for candidates who receive an offer, the base pay will vary based on factors such as work location, as well as the knowledge, skills and experience of the candidate. In addition to a competitive base salary, this position is eligible for equity awards and may be eligible for sales commission or incentive compensation based on the role or function within the company.
At Obsidian, we are proud to be an equal-opportunity employer. We value diversity and hire for talent, passion, and compassion. In compliance with federal law, all persons hired will be required to submit satisfactory proof of identity and legal authorization. If you have a need that requires accommodation, please contact accommodations@obsidiansecurity.com
Information collected and processed as part of any job applications you choose to submit is subject to Obsidian’s Applicant Privacy Policy. Base Salary Range $219,000—$280,000 USD
#J-18808-Ljbffr
Founded in 2017, Obsidian Security was created to close a critical gap: securing the SaaS applications where modern business happens—platforms like Microsoft 365, Salesforce, and hundreds more. We’ve built a complete SaaS security platform to reduce risk, detect and respond to threats, and prevent breaches at the source. Our team includes leaders who helped define the categories of endpoint and identity security at CrowdStrike, Okta, Cylance, and Carbon Black. We’re transforming how SaaS is secured—in the era of agentic AI. Today, Obsidian is trusted by global enterprises and protects organizations across North America, Europe, the Middle East, Southeast Asia, Australia, and New Zealand. We are scaling quickly toward long-term growth and IPO readiness. Join us as we define the future of SaaS security.
Position Overview:
We’re looking for a Principal Product Security Engineer to join our team and lead our product security to the next level and beyond. The ideal candidate is a senior, highly technical, passionate, team-oriented professional with a proven track record of excellence in technical product security engineering, leadership, and execution. This role will be instrumental in shaping how security is integrated throughout the Obsidian SaaS product, hosting environments, and related services.
The ideal candidate must be mission and values-driven, have an ownership mentality, and place the well-being of customers, teammates, and the organization at the forefront. This role thrives in a dynamic, high-growth startup environment within an established Cybersecurity, GRC, and IT team and programs. This is a critical, high-impact role that will serve as a catalyst for growth for an experienced cybersecurity professional.
The Principal Product Security Engineer reports to the Chief Information Security Officer and will be responsible for developing, implementing, optimizing, scaling, automating, and operating the Obsidian product security program. The role works closely with Engineering, Product, DevOps, GRC, and IT to support the company’s product security needs. Candidates should be highly technical team leaders with exceptional secure software engineering, automation, and application and infrastructure security experience, capable of implementing and operating application security, infrastructure protection, threat detection, and incident response capabilities in a modern tech stack. This is a multi-faceted role in a fast-moving startup and requires ownership mentality, sound judgment, personal responsibility, and initiative.
Your Responsibilities Will Include
Security Architecture and Technical Leadership
— Provide technical leadership and guidance for the Security Team, mentor junior security engineers.
Mentor engineers on secure design and coding practices, and influence cross-functional teams through technical thought leadership.
Ensure that the Product Security Program is defined and documented to include technical runbooks, standards, procedures, and continuity documentation.
Lead and drive scalable security design reviews for existing and new features and services.
Define and maintain secure and private-by-design development patterns, architectural and operational best practices.
Lead security architecture reviews, threat modeling sessions, and secure coding workshops.
Help scale security knowledge across the organization through training and documentation.
Support escalations in customer and prospect security reviews and due diligence.
Secure SDLC & Code Review and Testing
— Mature and integrate scalable security into the SDLC.
Provide deep technical reviews for high-risk areas in backend and frontend codebases and services.
Ensure security testing is properly configured and deployed in code projects and CI/CD pipelines.
Ensure that testing and review outputs are properly documented, prioritized, and completed.
Automate fuzzing, SAST/DAST, SBOM generation, and third-party dependency scanning.
Facilitate and evolve scalable threat modeling processes across SDLC.
Anticipate and address new attack surfaces as the product evolves.
Cloud Security & Infrastructure Hardening
— Partner with DevSecOps, DevOps, SRE, and Platform Engineering to improve the security of cloud environments, Kubernetes, data pipelines, CI/CD pipelines, and related resources.
Drive zero-trust principles in service-to-service communication and access controls.
Drive security maturity in critical Obsidian product resources such as secrets management systems, databases, and data pipelines.
Mature Infrastructure as Code (IaC) and related security tooling and practices.
Ensure that security tooling is properly configured and implemented to the maximum potential.
Monitor security tooling for security events.
Ensure that the most important security metrics are collected and properly made visible via dashboards and reporting.
Incident Response & Threat and Vulnerability Management
— Act as a key technical lead in security incident response and after-action reviews. Prioritize, assess, and drive remediation of product and infrastructure vulnerabilities.
Create automation workflows for security incident detection and response across environments.
Support product penetration testing and corporate red teaming exercises.
What We’re Looking For
A person who is excited about working at an industry-leading cybersecurity startup company with enterprise security needs.
At least 10 years of Product Security experience in a cloud-native environment, with a preference towards experience in the cybersecurity industry.
Proficient in software engineering with emphasis on Python.
Proficient in Terraform Infrastructure-as-Code.
Proficient in securing Kubernetes.
Proficient in securing AWS and GCP environments.
Proficient in securing the GitLab platform.
Proficient in security automation.
Proficient in security metrics collection and reporting.
Strong understanding of multiple security domains such as application security, protection, detection, response, vulnerability management, or threat intelligence.
Be obsessive about security while supporting the overall mission.
Experience with modern IT systems such as Google Workspace, Microsoft 365, Slack, Notion, Jira, GitLab.
Experience working with multiple internal and external stakeholders during incident lifecycles.
Experience communicating across a company to educate on best practices, standards, and policies.
What We Can Do For You
Be part of a team-first, low-ego, mission-focused culture.
Provide opportunities for professional development.
Provide opportunities to make high-impact contributions to security.
Influence the Obsidian product development.
Annual conference attendance budget.
Competitive salary, equity, and health benefits.
Opportunity to publish research, share non-proprietary code, and present at conferences.
Reserve your seat on our rocket ship! We are funded by Greylock Partners, Google Ventures, Menlo Ventures, WingVC, Norwest Venture Partners, and are growing fast.
This role is a game-changer and is about securing our company and product as we provide cutting-edge capabilities to help organizations increase their security.
Employee Benefits
Our competitive benefits packages are designed to support our employees’ well-being, both at work and at home. Our US based employees enjoy:
Competitive compensation with equity and 401k
Comprehensive healthcare with dental and vision coverage
Flexible paid time off and paid holiday time off
12 weeks of new parent or family leave
Personal and professional development resources
For more details on our US benefits, or for information on our international benefits, please see here.
Pay Transparency
Please note that the base pay range is a guideline and for candidates who receive an offer, the base pay will vary based on factors such as work location, as well as the knowledge, skills and experience of the candidate. In addition to a competitive base salary, this position is eligible for equity awards and may be eligible for sales commission or incentive compensation based on the role or function within the company.
At Obsidian, we are proud to be an equal-opportunity employer. We value diversity and hire for talent, passion, and compassion. In compliance with federal law, all persons hired will be required to submit satisfactory proof of identity and legal authorization. If you have a need that requires accommodation, please contact accommodations@obsidiansecurity.com
Information collected and processed as part of any job applications you choose to submit is subject to Obsidian’s Applicant Privacy Policy. Base Salary Range $219,000—$280,000 USD
#J-18808-Ljbffr