Product Security Engineer

{
  "content_hash": "9a71104ca22312adb574f8676657675861602c1138ac3869e2cc362f339ab9a1",
  "source_hash": "be81f52b2d83feb31464c73b7bea37aa3243651d43589d41bc9cae1ab050e62a",
  "last_changed_at": "2026-06-02T10:51:39.192Z",
  "active_status": "active"
}

{
  "language": "en",
  "location": {
    "raw": "Manchester, Greater Manchester, M3 3BZ, United Kingdom",
    "city": "Manchester",
    "region": "Greater Manchester",
    "country": null,
    "is_remote": false,
    "confidence": 0.8
  },
  "salary_max": null,
  "salary_min": null,
  "inferred_at": "2026-06-06T10:22:58.341Z",
  "launch_scope": {
    "reason": "bamboohr_production_catalog",
    "included": true,
    "location": {
      "raw": "Manchester, Greater Manchester, M3 3BZ, United Kingdom",
      "city": "Manchester",
      "region": "Greater Manchester",
      "country": null,
      "is_remote": false,
      "confidence": 0.8
    },
    "countries": []
  },
  "remote_policy": null,
  "salary_period": null,
  "workplace_type": null,
  "salary_currency": null
}

{}

{
  "list_job": {
    "id": "79",
    "isRemote": null,
    "location": {
      "city": "Manchester",
      "state": "Greater Manchester"
    },
    "atsLocation": {
      "city": null,
      "state": null,
      "country": null,
      "province": null
    },
    "departmentId": "18624",
    "locationType": "2",
    "jobOpeningName": "Product Security Engineer",
    "departmentLabel": "Software Engineering",
    "employmentStatusLabel": "Full-Time"
  },
  "detail_errors": [],
  "detail_job_opening": {
    "location": {
      "city": "Manchester",
      "state": "Greater Manchester",
      "postalCode": "M3 3BZ",
      "addressCountry": "United Kingdom"
    },
    "datePosted": "2026-06-01",
    "atsLocation": {
      "city": null,
      "state": null,
      "country": null,
      "countryId": null
    },
    "description": "<p><span style=\"font-weight: bold\">What is a Product Security Engineer?</span></p>\n<p><br></p>\n<p>The hardest security problems we face aren't policy problems. They're engineering problems. Supply-chain operators. Prompt-injection campaigns. Financially-motivated attackers who turn a compromised dependency into production access. A well-organised control library doesn't move the needle there. Engineering does.</p>\n<p><br></p>\n<p>A Product Security Engineer is a software engineer whose specialism is making those attack paths hard, expensive, or impossible. They write production code. They build detections that catch real attacks. They harden the systems other engineers depend on. They reason about specific adversaries with specific failure modes, not abstract categories.</p>\n<p><br></p>\n<p>We're hiring someone to defend the regulated communications record of thousands of financial firms. The data is a real target. The work is engineering work.</p>\n<p><br></p>\n<p><span style=\"font-weight: bold\">What you'll do</span></p>\n<p><br><br></p>\n<p>MirrorWeb is a communications compliance supervision platform. We process hundreds of millions of events a month for thousands of financial-services firms worldwide. Customers trust us with their regulated record, which is a high-value target by any threat model. You'll work across the platform: web capture, largescale data pipelines, archiving, the customer-facing product, and the developer infrastructure all of it ships on.</p>\n<p><br></p>\n<p><span style=\"font-weight: bold\">Engineer defence into the product </span></p>\n<p><br></p>\n<p>Multi-tenant isolation that holds up to a determined insider. Encryption and key management you'd trust on your own data. IAM modelled as code, reviewed like code, with privilege-escalation paths analysed before they ship. Application-layer hardening on the surfaces customers actually use. Security as a property of how the product is built, not a layer on top.</p>\n<p><br></p>\n<p><span style=\"font-weight: bold\">Defend the supply chain</span></p>\n<p><br></p>\n<p>The path of least resistance into modern SaaS runs through dependencies, build pipelines, and CI providers. You'll engineer the systems that make our supply chain defensible: provenance and integrity for what we build (SLSA, sigstore patterns, signed artifacts), dependency trust as a real control rather than a manifest scan, build-pipeline isolation, third-party risk as runtime telemetry. When the next big supply-chain incident lands, we should know within hours whether it touches us.</p>\n<p><br></p>\n<p><span style=\"font-weight: bold\">Detect, respond, contain</span></p>\n<p><br></p>\n<p>Runtime detection that catches what actually happens, not what a vendor template guesses might. Incident response codified as automation: containment, rotation, isolation, evidence capture. Forensics tooling that works on our stack. Adversary emulation against our real attack surface. The metric is mean-time-tocontain, not control coverage.</p>\n<p><br></p>\n<p><span style=\"font-weight: bold\">Secure the agentic development surface</span></p>\n<p><br></p>\n<p>Our engineers ship with AI agents in the loop on every change. That's leverage, and it's a new attack surface: prompt injection against agent harnesses, untrusted MCP server outputs, IAM scope creep on agent-driven tooling, model and prompt supply chain. You'll own the security layer of our agent platform: sandbox boundaries, scoped credentials, provenance trails on agent-shipped changes, secure-by-default code-generation patterns.</p>\n<p><br></p>\n<p><span style=\"font-weight: bold\">Lead the security craft inside engineering </span></p>\n<p><br></p>\n<p>You embed inside the engineering team, not next to it. You pair with platform and product engineers on the work where threat models matter. You raise the bar through the tooling and patterns you ship, not through review gates. Compliance (SOC 2 today, more as we scale) falls out as evidence of real security work, not as a separate workstream.</p>\n<p><br></p>\n<p><br><br></p>\n<p><span style=\"font-weight: bold\">What we're looking for</span></p>\n<p><span style=\"font-weight: bold\">Essential</span></p>\n<ul>\n<li>Several years writing production software on AWS</li>\n<li>Security as your specialism, with a track record of defence systems you've shipped: detections that fired on real attacks, supply-chain or build-pipeline hardening, hardened product surfaces, IR automation that contained an incident. Be ready to talk about one in depth.</li>\n<li>Adversarial instincts. You follow supply-chain incidents, read post-mortems, and reason about real threat actors rather than abstract categories.</li>\n<li>Hands-on experience using AI coding agents (Claude Code, Cursor, Codex, or similar) in production development workflows</li>\n<li>A clear model for how agent harnesses work (context, tool selection, trust boundaries), and where they break</li>\n<li>Threat-modelling fluency. You can walk a system design and come out with what's worth defending and what isn't.</li>\n<li>An open communicator who raises concerns early and contributes in group discussions A high bar for resilient systems, in yourself and the people around you</li>\n</ul>\n<p><br></p>\n<p><br><br></p>\n<p><span style=\"font-weight: bold\">Desirable</span></p>\n<ul>\n<li>Detection engineering at production scale: runtime detection, anomaly detection, alert tuning (Sigma, OSQuery, Falco, or equivalent)</li>\n<li>Supply-chain security: SLSA, sigstore / cosign, in-toto, SBOM tooling used as a real control</li>\n<li>Cloud-native attack patterns on AWS: IAM privilege analysis, IMDS exploitation, cross-account paths, KMS misuse, and the defences for each</li>\n<li>Incident response leadership end-to-end on a real incident (containment, eradication, forensics, write-up)</li>\n<li>Authoring MCP servers or custom agent tools with a security lens Product Security Engineer Job Description 3</li>\n<li>Familiarity with AGENTS.md / CLAUDE.md patterns and skill authoring</li>\n<li>Cryptography in practice: key management, KMS / HSM, encryption-in-use, sensible TLS</li>\n<li>Large-scale data-intensive systems: PostgreSQL, ClickHouse, Turbopuffer</li>\n<li>Observability tooling: Grafana, exception alerting, OpenTracing, Langfuse</li>\n<li>Regtech, fintech, or regulated-record experience</li>\n<li>Scoping red-team and pentest engagements (you commission and consume offensive testing, you don't run it day-to-day)</li>\n</ul>\n<p><br></p>\n<p><span style=\"font-weight: bold\">What you won't find here</span></p>\n<p><br></p>\n<p>A GRC role with an engineering title. A queue of CVE tickets to triage. A SOC analyst rota. A compliance-automation role rebadged as security engineering. This role exists to defend our product against real adversaries, not to manage a control library.</p>\n<p><br></p>\n<p><span style=\"font-weight: bold\">Why MirrorWeb?</span></p>\n<p>We're a communications compliance surveillance and supervision platform. We process hundreds of millions of events a month for firms worldwide, and we're scaling fast. Past the scrappy startup stage, still small enough that the work you do this week is in production next. Security Engineering, like Product Engineering, is a first-class softwareengineering discipline here. Not an audit function bolted onto one. We protect the regulated record for thousands of financial firms. The threat is real, and the surface is interesting.</p>\n<p><br></p>\n<p><span style=\"font-weight: bold\">Our Tech Stack</span></p>\n<p><span style=\"font-weight: bold\">Backend: </span>Go, TypeScript, Python</p>\n<p><span style=\"font-weight: bold\">Frontend: </span>React, TypeScript</p>\n<p><span style=\"font-weight: bold\">Cloud: </span>AWS (Lambda, EC2, ECS Fargate, Aurora PostgreSQL/MySQL, S3, SQS/SNS), Vercel AI</p>\n<p><span style=\"font-weight: bold\">Infrastructure: </span>AWS Bedrock, Langfuse, Vercel AI Gateway </p>\n<p><span style=\"font-weight: bold\">Infrastructure: </span>Terraform, GitHub Actions Data: Large-scale PostgreSQL, ClickHouse, Turbopuffer</p>\n<p><span style=\"font-weight: bold\">Agent tooling: </span>Claude Code, Cursor, Linear, Codex, Sentry, Grafana Cloud, CodeRabbit, Incident.io</p>",
    "compensation": null,
    "departmentId": "18624",
    "locationType": "2",
    "seekPromoted": false,
    "jobCategoryId": null,
    "jobOpeningName": "Product Security Engineer",
    "departmentLabel": "Software Engineering",
    "jobOpeningStatus": "Open",
    "minimumExperience": null,
    "jobOpeningShareUrl": "https://mirrorweb.bamboohr.com/careers/79",
    "employmentStatusLabel": "Full-Time"
  }
}