Senior / Staff DevSecOps Engineer

About the Company America is under sustained cyber attack. Our adversaries infiltrate our networks, steal our IP, and degrade the digital infrastructure that modern life runs on. They’ve learned—correctly—that those attacks rarely produce consequences. Twenty was founded to change that, by making our adversaries think twice before they attack us. Our vision is American and allied primacy in cyberspace—a future where they cannot contest us, deterrence is assured, and the free world remains secure. Founded in 2024, Twenty Technologies ( www.twenty.io ) industrializes offensive cyber operations for the U.S. and its allies. Headquartered in Arlington, Virginia, Twenty has raised $38M from Caffeinated Capital, General Catalyst, and In-Q-Tel. Role Summary You'll build and own the security infrastructure that keeps Twenty's engineering systems safe without slowing engineers down. This role spans runtime security, access control, secrets management, compliance, and CI/CD hardening — but it's equally about making security the path of least resistance. You'll embed with our engineering teams, design secure-by-default foundations, and build the tooling and automation that lets developers move fast without cutting corners. You'll report directly to the VP of Engineering and operate as a shared function across our product teams. Who You Are You believe security should be a force multiplier for engineering, not a gatekeeper. You take ownership end-to-end: from identifying a risk to designing the control to shipping the fix. You bring high judgment to tradeoffs — you know when to enforce hard controls and when friction kills adoption. You communicate clearly with both engineers and non-technical stakeholders, and you translate risk into plain language. You prefer automation over policy: if an engineer has to do something manually to stay secure, you see that as a bug. You hold a high bar for reliability and auditability in the systems you build. You're self-directed and thrive in an environment where the function is new and you're defining it. What You'll Do Own runtime security and vulnerability management across cloud and container environments, including triage, prioritization, and remediation tracking. Design and enforce identity and access management (IAM) across AWS and internal systems — least-privilege by default. Own secrets and credentials management: policies, tooling, rotation, and developer workflows that make doing the right thing easy. Lead security incident response: detection, containment, root cause analysis, and durable remediation. Manage AWS Organization structure, account boundaries, SCPs, and guardrails. Harden and maintain CI/CD pipelines, embedding security scanning and policy enforcement into the software delivery lifecycle. Drive compliance efforts — own the evidence, controls, and remediation work to meet and maintain relevant frameworks. Build and maintain secure-by-default templates for repos, pipelines, and infrastructure modules. Reduce friction through automation: certificate issuance, secrets access, policy-as-code, and developer-facing tooling. Produce lightweight, practical security guidance that engineers actually use. Shape the direction of the DSO function as it scales, and contribute to hiring and team-building as we grow. Must Have 8+ years in DevSecOps, platform security, or a closely related security engineering role. Deep hands-on experience with AWS — IAM, SCPs, Organizations, security services (GuardDuty, Security Hub, CloudTrail, etc.). Strong IaC experience with Terraform; you've used it to enforce security controls, not just provision infrastructure — and you've layered in policy-as-code tooling (e.g., OPA, Checkov, tfsec) or continuous compliance checks (e.g., AWS Config Rules) to catch drift and misconfigurations. Experience owning secrets management end-to-end in a production engineering environment. Proven track record designing and hardening CI/CD pipelines (we use GitHub Actions). Hands-on experience with container security, including image scanning and runtime controls. Experience leading or meaningfully contributing to a compliance program; CMMC Level 2 (or NIST SP 800-171) experience strongly preferred. You've run incident response — you've been on call, you've led the post-mortem, and you've shipped the fix. Strong communication skills and the ability to drive security adoption through enablement, not mandates. Nice To Have Experience growing a DSO or security engineering function — expanding scope, tooling, and team. Familiarity with observability tooling and using it for security signal (we use the LGTM stack). Background in configuration management tooling (Ansible or similar). Experience with developer-facing security platforms or internal tooling that improved engineering workflows. Interest in growing into a lead or manager role as the team scales. Tech Environment (You Might Work With) Cloud: AWS (primary), Terraform for IaC, Ansible for configuration management Containers: Docker, Docker Compose CI/CD: GitHub Actions Vulnerability scanning: Trivy Observability: Grafana, Loki, Tempo, Mimir (LGTM stack) Alerting / on-call: PagerDuty Languages in use across engineering: Go, TypeScript/Node, React, Python Security / Work Environment This role requires eligibility to obtain and maintain a U.S. Government security clearance. This role may involve work in a controlled environment. Benefits What's on the table: Health. Medical, dental, and vision plan options. Life / AD&D, disability coverage options. Family. Paid parental leave for eligible full-time employees. 12 weeks for birthing parents, 4 for non-birthing parents, 6 weeks for adoptive, foster, or intended parents through surrogacy. Vacation. Paid holidays and flexible PTO. Take what you need. Retirement. 401(k) with pre-tax and Roth options. HSA/FSA options, dependent care FSA. At the office. Commuter benefits. On-site garage parking. Bike storage. Building fitness center. Desk setup stipend. Benefits vary by location, role, and eligibility. Full plan details provided during the interview and offer process. If this role sounds like you, apply and share with us your interest. Some positions may require eligibility to obtain a U.S. Government security clearance. Any clearance requirement will be listed in the role description. Twenty is an equal opportunity employer. We consider all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, veteran status, disability, or any other protected status. If you need a reasonable accommodation during the hiring process, let us know and we will work with you.

{
  "content_hash": "f4a0d0de149d006943c102449a0f7d00af7b6fa7f3bfbba63de38f02142a44bc",
  "source_hash": "510bd71e25a35438f73e45876a3b595ac9f225692581b5663946d9e3468a45c2",
  "last_changed_at": "2026-05-29T07:13:43.978Z",
  "active_status": "active"
}

{
  "language": "en",
  "location": {
    "raw": "Arlington, VA",
    "city": "Arlington",
    "region": "VA",
    "country": "United States",
    "is_remote": false,
    "confidence": 0.9
  },
  "salary_max": null,
  "salary_min": null,
  "inferred_at": "2026-06-06T09:39:52.324Z",
  "launch_scope": {
    "reason": "english_us_canada",
    "included": true,
    "language": "en",
    "location": {
      "raw": "Arlington, VA",
      "city": "Arlington",
      "region": "VA",
      "country": "United States",
      "is_remote": false,
      "confidence": 0.9
    },
    "countries": [
      "United States"
    ]
  },
  "remote_policy": null,
  "salary_period": null,
  "workplace_type": "on_site",
  "salary_currency": null
}

{}

{
  "id": "cb920b5d-20a2-40c6-82e2-c7e9333f9210",
  "team": "Engineering, SWE",
  "title": "Senior / Staff DevSecOps Engineer",
  "jobUrl": "https://jobs.ashbyhq.com/twenty/cb920b5d-20a2-40c6-82e2-c7e9333f9210",
  "address": null,
  "applyUrl": "https://jobs.ashbyhq.com/twenty/cb920b5d-20a2-40c6-82e2-c7e9333f9210/application",
  "isListed": true,
  "isRemote": false,
  "location": "Arlington, VA",
  "updatedAt": null,
  "apiVersion": "ashby-non-user-graphql-v1",
  "department": "Engineering",
  "publishedAt": null,
  "workplaceType": "OnSite",
  "employmentType": "FullTime",
  "secondaryLocations": []
}