Obsidian Security
Staff DevOps Security Engineer (Office of the CISO)
Obsidian Security, Newport Coast, California, United States, 92657
Staff DevSecOps Security Engineer
Founded in 2017, Obsidian Security was created to close a critical gap: securing the SaaS applications where modern business happensplatforms like Microsoft 365, Salesforce, and hundreds more. Backed by top investors including Greylock, Norwest Venture Partners, and IVP, we've built a complete SaaS security platform to reduce risk, detect and respond to threats, and prevent breaches at the source. Our team includes leaders who helped define the categories of endpoint and identity security at CrowdStrike, Okta, Cylance, and Carbon Black. Now, we're transforming how SaaS is securedin the era of agentic AI. Today, Obsidian is trusted by global enterprises like Snowflake, T-Mobile, and Pure Storage. We protect more than 200 organizations across North America, Europe, the Middle East, Southeast Asia, Australia, and New Zealandincluding many of the world's largest Fortune 1000 and Global 2000 companies. With strong global momentum, a growing partner ecosystem including SentinelOne, Databricks, and Google Cloud, and a major fundraise on the horizon, we're scaling quickly toward long-term growth and IPO readiness. Join us as we define the future of SaaS security! We're looking for a Senior Staff DevSecOps Engineer to join our team and help drive our product and corporate security to the next level. The ideal candidate for the role will be a highly technical, passionate, team-oriented, professional who can evolve our security infrastructure, embedding secure practices into every layer of our Software Development Lifecycle and operations. In this strategic and hands-on role, you will architect, implement, and scale robust security automation, policy enforcement, and threat detection systems across our CI/CD pipelines, corporate, and cloud environments. You'll be instrumental in shaping how security is integrated into software development and operations, driving visibility, reliability, and trust at scale. This person must be mission and values-driven, must have an ownership mentality, and must put the well-being of our customers, our teammates, and our organization at the forefront of how they operate. This person must be able to operate and thrive in a dynamic, high-growth startup environment within an established Cybersecurity, GRC, and IT team and programs. This is a critical, high-impact role that will serve as a catalyst for growth for any seasoned cybersecurity professional. The Staff DevSecOps Engineer reports to the Director of Cybersecurity and will be responsible for developing, implementing, optimizing, scaling, automating, and operating effective security controls and capabilities within the organization and product suite. The Staff DevSecOps Engineer works closely with IT, DevOps, and Engineering teams to support the company's security needs, provide support, and facilitate secure technology operations. Candidates applying for this sensitive and high-impact role should be highly technical team players with software engineering, automation, and application and infrastructure security experience, capable of implementing protection, detection, and response capabilities and industry best practices across an organization with a cybersecurity mission and modern tech stack. This is a multi-faceted role within a fast-moving startup and will require the successful candidate to possess an ownership mentality, sound judgment, personal responsibility, and initiative. In this role, you will support the company's overall security mission and help drive alignment, maturity, capacity, and optimization where needed. Your Responsibilities Will Include Security Architecture and Technical Leadership Design and evangelize a holistic DevSecOps strategy aligned with business risk posture and compliance requirements. Collaborate with IT, GRC, Privacy, and Engineering teams to build secure and privacy-by-default platforms. Define and implement secure patterns for cloud-native architectures (e.g., containers, serverless, IaC). Create automation workflows for security incident detection and response across environments. Establish continuous compliance pipelines for standards like SOC 2, ISO 27001, FedRAMP, or HIPAA. Lead security architecture reviews, threat modeling sessions, and secure coding workshops. Mentor more junior security engineers and influence cross-functional teams through technical thought leadership. Ensuring the Obsidian product is built and deployed to a high-security standard Ensure that application code, images, and infrastructure are scanned for vulnerabilities and that vulnerabilities are remediated in a risk-informed and timely manner. Embed security controls into build and deployment pipelines (GitLab CI). Mature vulnerability scanning (SAST, DAST, SCA) and integrate results into feedback loops for engineering teams. Develop and enforce guardrails and policy-as-code (OPA, Sentinel, Rego) to prevent misconfigurations and policy drift. Ensure that CI/CD infrastructure and other critical infrastructures and systems are hardened according to security best practices and standards, and monitored for security threats. Harden Kubernetes clusters, container runtimes, and cloud environments (AWS/GCP) using security standards and best practices. Lead implementation of infrastructure as code (Terraform), security validation, and drift detection. Drive zero-trust principles in service-to-service communication and access control. Ensuring Obsidian assets are managed to a high-security standard Implement security tooling, automation, and orchestration as needed for detection, response, reporting, and vulnerability management capabilities. Ensure that security tooling is maintained, optimized, and consistently deployed across the Obsidian install base. Develop security threat detection rules and analytics within Obsidian security tooling systems and drive posture security maturity. Supporting internal Corporate Information Security needs on an ongoing basis Perform security assessments of core corporate services and endpoints Monitor security tooling and investigate security threats Conduct threat research and develop intelligence to inform security functions Work with multiple stakeholders to investigate and remediate security incidents Enhance the security posture of corporate infrastructure and tools Occasionally work with IT to support secure technology deployments, company operations, and employee performance. What We're Looking For A person who is excited about working at a cybersecurity startup company with enterprise security needs At least 8 years of DevSecOps experience Proficient in software engineering with emphasis on the Python programming language at a minimum Proficient in Terraform Infrastructure-as-Code Proficient in securing Kubernetes Proficient in securing AWS and GCP environments Proficient in securing the GitLab platform Proficient in security automation Excellent understanding of multiple security domains such as protection, detection, response, application security, vulnerability management, or threat intelligence Be obsessive about security while doing everything possible to support the overall mission. Experience with modern IT systems such as Google Workspace, Microsoft 365, Slack, Notion, Jira Experience working with multiple internal and external stakeholders during incident lifecycles Experience communicating across a company to encourage and educate on best practices, standards, and policies What We Can Do For You Be part of a team-first, low-ego, mission-focused culture. Provide opportunities for professional development. Provide opportunities to make high-impact contributions to security. Influence the Obsidian product development. Annual conference attendance budget Competitive salary, equity, and health benefits Opportunity to publish research, share non-proprietary code, and present at conferences Reserve your seat on our rocket ship! We are funded by Greylock Partners, Google Ventures, WingVC, Norwest Venture Partners, and are growing fast. This role is a game changer and is about securing our company and product as we provide cutting-edge capabilities to help organizations increase their security.
Founded in 2017, Obsidian Security was created to close a critical gap: securing the SaaS applications where modern business happensplatforms like Microsoft 365, Salesforce, and hundreds more. Backed by top investors including Greylock, Norwest Venture Partners, and IVP, we've built a complete SaaS security platform to reduce risk, detect and respond to threats, and prevent breaches at the source. Our team includes leaders who helped define the categories of endpoint and identity security at CrowdStrike, Okta, Cylance, and Carbon Black. Now, we're transforming how SaaS is securedin the era of agentic AI. Today, Obsidian is trusted by global enterprises like Snowflake, T-Mobile, and Pure Storage. We protect more than 200 organizations across North America, Europe, the Middle East, Southeast Asia, Australia, and New Zealandincluding many of the world's largest Fortune 1000 and Global 2000 companies. With strong global momentum, a growing partner ecosystem including SentinelOne, Databricks, and Google Cloud, and a major fundraise on the horizon, we're scaling quickly toward long-term growth and IPO readiness. Join us as we define the future of SaaS security! We're looking for a Senior Staff DevSecOps Engineer to join our team and help drive our product and corporate security to the next level. The ideal candidate for the role will be a highly technical, passionate, team-oriented, professional who can evolve our security infrastructure, embedding secure practices into every layer of our Software Development Lifecycle and operations. In this strategic and hands-on role, you will architect, implement, and scale robust security automation, policy enforcement, and threat detection systems across our CI/CD pipelines, corporate, and cloud environments. You'll be instrumental in shaping how security is integrated into software development and operations, driving visibility, reliability, and trust at scale. This person must be mission and values-driven, must have an ownership mentality, and must put the well-being of our customers, our teammates, and our organization at the forefront of how they operate. This person must be able to operate and thrive in a dynamic, high-growth startup environment within an established Cybersecurity, GRC, and IT team and programs. This is a critical, high-impact role that will serve as a catalyst for growth for any seasoned cybersecurity professional. The Staff DevSecOps Engineer reports to the Director of Cybersecurity and will be responsible for developing, implementing, optimizing, scaling, automating, and operating effective security controls and capabilities within the organization and product suite. The Staff DevSecOps Engineer works closely with IT, DevOps, and Engineering teams to support the company's security needs, provide support, and facilitate secure technology operations. Candidates applying for this sensitive and high-impact role should be highly technical team players with software engineering, automation, and application and infrastructure security experience, capable of implementing protection, detection, and response capabilities and industry best practices across an organization with a cybersecurity mission and modern tech stack. This is a multi-faceted role within a fast-moving startup and will require the successful candidate to possess an ownership mentality, sound judgment, personal responsibility, and initiative. In this role, you will support the company's overall security mission and help drive alignment, maturity, capacity, and optimization where needed. Your Responsibilities Will Include Security Architecture and Technical Leadership Design and evangelize a holistic DevSecOps strategy aligned with business risk posture and compliance requirements. Collaborate with IT, GRC, Privacy, and Engineering teams to build secure and privacy-by-default platforms. Define and implement secure patterns for cloud-native architectures (e.g., containers, serverless, IaC). Create automation workflows for security incident detection and response across environments. Establish continuous compliance pipelines for standards like SOC 2, ISO 27001, FedRAMP, or HIPAA. Lead security architecture reviews, threat modeling sessions, and secure coding workshops. Mentor more junior security engineers and influence cross-functional teams through technical thought leadership. Ensuring the Obsidian product is built and deployed to a high-security standard Ensure that application code, images, and infrastructure are scanned for vulnerabilities and that vulnerabilities are remediated in a risk-informed and timely manner. Embed security controls into build and deployment pipelines (GitLab CI). Mature vulnerability scanning (SAST, DAST, SCA) and integrate results into feedback loops for engineering teams. Develop and enforce guardrails and policy-as-code (OPA, Sentinel, Rego) to prevent misconfigurations and policy drift. Ensure that CI/CD infrastructure and other critical infrastructures and systems are hardened according to security best practices and standards, and monitored for security threats. Harden Kubernetes clusters, container runtimes, and cloud environments (AWS/GCP) using security standards and best practices. Lead implementation of infrastructure as code (Terraform), security validation, and drift detection. Drive zero-trust principles in service-to-service communication and access control. Ensuring Obsidian assets are managed to a high-security standard Implement security tooling, automation, and orchestration as needed for detection, response, reporting, and vulnerability management capabilities. Ensure that security tooling is maintained, optimized, and consistently deployed across the Obsidian install base. Develop security threat detection rules and analytics within Obsidian security tooling systems and drive posture security maturity. Supporting internal Corporate Information Security needs on an ongoing basis Perform security assessments of core corporate services and endpoints Monitor security tooling and investigate security threats Conduct threat research and develop intelligence to inform security functions Work with multiple stakeholders to investigate and remediate security incidents Enhance the security posture of corporate infrastructure and tools Occasionally work with IT to support secure technology deployments, company operations, and employee performance. What We're Looking For A person who is excited about working at a cybersecurity startup company with enterprise security needs At least 8 years of DevSecOps experience Proficient in software engineering with emphasis on the Python programming language at a minimum Proficient in Terraform Infrastructure-as-Code Proficient in securing Kubernetes Proficient in securing AWS and GCP environments Proficient in securing the GitLab platform Proficient in security automation Excellent understanding of multiple security domains such as protection, detection, response, application security, vulnerability management, or threat intelligence Be obsessive about security while doing everything possible to support the overall mission. Experience with modern IT systems such as Google Workspace, Microsoft 365, Slack, Notion, Jira Experience working with multiple internal and external stakeholders during incident lifecycles Experience communicating across a company to encourage and educate on best practices, standards, and policies What We Can Do For You Be part of a team-first, low-ego, mission-focused culture. Provide opportunities for professional development. Provide opportunities to make high-impact contributions to security. Influence the Obsidian product development. Annual conference attendance budget Competitive salary, equity, and health benefits Opportunity to publish research, share non-proprietary code, and present at conferences Reserve your seat on our rocket ship! We are funded by Greylock Partners, Google Ventures, WingVC, Norwest Venture Partners, and are growing fast. This role is a game changer and is about securing our company and product as we provide cutting-edge capabilities to help organizations increase their security.