Security Engineer

CaptivateIQ  is the leading Sales Performance Management solution, recognized by Forrester and G2, and trusted by customers including Affirm, Gong, and Figma. With solutions for Sales Planning and Incentives, we help revenue teams automate processes, hit revenue targets, and adapt with business change, ultimately driving efficient growth. It's time to rethink ROI - your return on incentives - with CaptivateIQ.
With backing from Sequoia, Accel, ICONIQ, Sapphire Ventures, and other leading investors, CaptivateIQ is on a mission to enable every company to improve their return on incentives and sales planning.
Come and see why Glassdoor and Comparably have recognized CaptivateIQ as a best place to work!
About the role:Join our Cybersecurity Team and play a pivotal role in strengthening the security of our infrastructure, applications, and services. As a Security Engineer, you will apply your technical expertise across engineering, application security, and incident response to help scale and mature our security posture. This is a hands-on role that requires a collaborative mindset, strong problem-solving skills, and the ability to identify and respond to security challenges across attack surfaces. 
You’ll work closely with Engineering, Product, and IT teams to embed security across the product lifecycle, triage and mitigate vulnerabilities, and proactively respond to security threats. If you're passionate about building secure systems, working cross-functionally, and making meaningful impact in a fast-moving, product-led environment—this role is for you.

Responsibilities:

• Design and implement scalable security controls across cloud infrastructure, applications, and enterprise systems.
• Partner with engineering teams to design secure architectures and assist in system and product development from requirements gathering through deployment.
• Collaborate with developers to identify, triage, and remediate application and cloud security vulnerabilities (e.g., XSS, SSRF, CSRF, CORS, SQL Injection, broken authentication/authorization, encryption flaws).
• Provide expert guidance on secure coding practices, common vulnerability classes (e.g., OWASP Top 10), and threat modeling for modern web applications.
• Conduct security reviews of design and architecture documents; lead threat modeling exercises using frameworks such as STRIDE, PASTA, MITRE ATT&CK, and DREAD.
• Build and refine detection and response capabilities using logs, alerts, and behavioral signals.
• Lead or support incident response activities, including log analysis, querying, forensic investigation, threat mitigation, and root cause analysis.
• Conduct internal security reviews, network scans, and targeted penetration tests of applications and infrastructure using common security tooling (e.g., Burp Suite, ZAP, Amass, Nmap).
• Assess and mitigate static (SAST) and dynamic (DAST) vulnerabilities across services and components.
• Evaluate, implement, and maintain security tooling to support vulnerability management, secure development, and event detection workflows.
• Define and track metrics related to application security, vulnerability remediation, detection coverage, and incident response effectiveness.
• Support compliance initiatives (e.g., SOC 2), contribute to control implementation, and assist with security documentation.
• Contribute to internal security education and awareness by developing training materials and coaching engineers.

Requirements:

• Bachelor’s degree in Computer Science, Cybersecurity, or equivalent practical experience.
• 6+ years of hands-on experience in cybersecurity, with demonstrated expertise in security engineering, application security, secure development, or security operations.
• Deep understanding of web architectures and modern frameworks (e.g., Django, Node.js, React).
• Expert-level scripting and automation skills (e.g., Python, Bash, PowerShell) for workflow automation, tooling, and log analysis.
• Proficient in log analysis, SIEM usage/configuration, threat hunting, and querying tools to support detection and response.
• Familiarity with static and dynamic analysis techniques and vulnerability mitigation.
• Strong understanding of modern cloud platforms—especially AWS—and cloud-native security practices.
• Experience conducting penetration tests, vulnerability assessments, and network scans.
• Excellent communication and collaboration skills; able to guide developers, write clear documentation, and engage stakeholders.

Nice to have:

• Certifications such as OSCP, GCIH, GWAPT, or CISSP.
• Familiarity with security frameworks such as NIST CSF, MITRE ATT&CK, OWASP ASVS, or ISO 27001.
• Experience with commercial security tools such as EDR, SIEM, CSPM, CNAPP, vulnerability scanners, bug bounty platforms, WAFs, or compliance automation platforms.
• Prior experience driving security engineering for a SaaS-based company.
• Experience leveraging automation or AI/ML tools to improve secure development, detection, incident response, or code analysis workflows.

Benefits:

• (US-ONLY) 100% of medical, dental, and vision covered including 75% for dependents
• Flexible vacation days and quarterly mental health days so you can recharge
• Enjoy a one-time expense on your 1-year work anniversary (to use for travel, home furnishings, fancy meal)
• One time work from home stipend & annual stipends for professional development and caretaking 
• Virtual team lunches to keep you connected
• (US-ONLY) 401k plan to participate in and save towards the future
• Newest Apple products to help you do your best work
• Employee Resource Groups (ERGs) to support and celebrate the shared identities and life experiences of communities within CaptivateIQ. ERGs directly support our company-wide DEI goals as a space for developing and retaining diverse talent

Notice to Prospective Candidates:

• Only emails from @captivateiq.com should be trusted.
• We are aware of active recruitment scams using the CaptivateIQ name, in which individuals pose as our recruiters and post fake remote job openings and make fake job offers on the Internet. Please note, we will never do the following:
• Attempt to correspond with a candidate using a free web-based account, such as an email address that ends in @gmail.com, @yahoo.com, @hotmail.com, etc. 
• Make an offer of employment without conducting multiple rounds of interviews face-to-face using secure video-conferencing technology.
• Ask candidates to cash checks to buy equipment on behalf of CaptivateIQ.
• Ask candidates to make a payment in order to be considered for a position.
• Make early requests for candidates' personal information such as date of birth, passport details, credit card numbers, bank details and social security number, etc.
• Please note that we’ll only ask for more sensitive personal information in connection with background checks after an offer is made.

CaptivateIQ participates in E-Verify, web-based system that allows enrolled employers to confirm the eligibility of their employees to work in the United States