Role Overview:
You'll be the technical voice of product security across Aalyria, reporting to the Director of Security & IT. You'll own application security, CI/CD and supply-chain security, our Kubernetes-based product infrastructure, product-side authentication and PKI, and you'll partner closely with hardware engineering on Tightbeam.
This is a senior to staff level individual contributor role with room to grow into management as the function scales. We need someone who's genuinely happy in a terminal and equally comfortable leading an architecture review.
Key Responsibilities:
- Application & software security. SAST/DAST/SCA, secure SDLC, threat modeling, and software vulnerability management across our codebase.
- CI/CD and supply-chain security. Hardening our GitLab pipelines, build provenance, dependency integrity, signing, and SLSA-aligned controls.
- Product infrastructure security. GKE and Kubernetes hardening, container security, workload identity, network policy, and runtime protection.
- Product PKI. Certificate lifecycle, issuance, rotation, and mTLS architecture across distributed services and remote assets.
- Vulnerability management. Triage, prioritization, remediation tracking, and exception handling, for both disclosed upstream issues and internal findings.
- Product incident response. Leading triage and response for product-side security incidents, coordinating with corporate IR, and driving post-mortems to action.
- Product infra hardening. Baseline configurations, secure defaults, and compensating controls across product environments.
- Hardware security partnership. Working with the Tightbeam team on firmware security, secure boot, key storage, and hardware supply-chain integrity.
Required Qualifications:
- Senior- or staff-level hands-on experience in product security or security engineering, with significant depth in software/AppSec.
- Production experience securing cloud environments such as IAM, org policy, VPC Service Controls, KMS, and Kubernetes at depth.
- Strong cryptographic foundations, PKI architecture, key management, signing, mTLS, and secrets handling at scale.
- Hands-on coding ability in Python, Bash, and Go, you can write tooling, automate controls, and ship Terraform/scripts when the situation calls for it. Comfort reviewing code is a plus.
- A track record of building security programs, not just operating tools someone else stood up.
- Experience leading product incident response, triage, response, coordination with engineering teams, customer comms, and post-mortem ownership.
- A pattern of mentoring engineers and raising the security bar of teams around you, even without direct reports.
- Experience interfacing with hardware/firmware teams, even if hardware isn't your primary domain.
- Strong written communication, you'll write threat models, design docs, and program updates that go to the executives, customers, and assessors.
- Working knowledge of the compliance frameworks that govern our environment such as CMMC, FedRAMP, and DFARS along with the ability to translate controls into engineering work.
Preferred Qualifications:
- Hands on experience with NIST 800-53, NIST 800-171, or DoD SRG environments.
- Experience with government-cloud platforms.
- Hardware security depth in HSMs, TPMs, secure elements, supply-chain attestation.
- Embedded / firmware security background, secure boot, RoT, OTA update integrity, hands-on firmware review.
- Experience standing up or running a vulnerability disclosure program or bug bounty, triage, researcher comms, and CVE coordination.
What We Offer:
- Innovative Environment: Work at a cutting-edge company shaping the future of aerospace communications.
- Impactful Work: