Staff Security Engineer

📋 Description

• • Own the end-to-end design, deployment, and lifecycle of AWS Network Firewall policies that shield TopstepTrader’s production, staging, and corporate environments from external threats and lateral movement. You will author least-privilege rules, tune threat-intel feeds, and automate policy rollbacks to achieve sub-minute response times.
• • Architect and continuously refine identity-centric access controls across AWS IAM, security groups, NACLs, and third-party identity providers (Okta, Azure AD). You’ll map every human and service identity to a risk-based role, enforce MFA and conditional access, and eliminate long-lived credentials through short-lived STS tokens and IAM Roles Anywhere.
• • Serve as the primary escalation point for security incidents detected by our Datadog and ELK-based SIEM. You’ll triage alerts, lead cross-functional war-room calls, and build repeatable playbooks that cut mean-time-to-respond (MTTR) by 50%. Post-incident, you’ll run blameless retros and feed lessons learned back into detection logic and preventive controls.
• • Drive quarterly firewall-rule and IAM-policy hygiene reviews that balance business agility with compliance mandates (SOC 2, PCI-DSS, ISO 27001, GDPR, CCPA, FSA). You will produce evidence packs for auditors, remediate drift, and present risk dashboards to senior leadership.
• • Automate security operations using Infrastructure-as-Code (Terraform, CloudFormation) and scripting languages (Python, Go). You’ll build self-service guardrails that let engineers deploy securely without ticket queues, and you’ll instrument every change with unit tests and CI gates.
• • Partner with engineering squads during architecture and design reviews to inject security requirements early—threat modeling data flows, selecting encryption standards, and defining secure-by-default patterns for containerized microservices and event-driven workloads.
• • Participate in a 24×7 on-call rotation (one week in four) as the security subject-matter expert. You’ll join a follow-the-sun team across US and EMEA time zones, armed with runbooks, paging policies, and executive escalation paths.
• • Mentor junior engineers and champion a culture of security ownership across the organization through lunch-and-learns, internal wikis, and capture-the-flag exercises. You’ll measure success by reduced alert noise, faster incident resolution, and peer NPS scores.
• • Continuously scan the horizon for emerging threats and cloud-native security services (AWS GuardDuty, Network Firewall Suricata rules, IAM Identity Center). You’ll pilot new tooling in sandbox accounts, quantify ROI, and socialize adoption roadmaps.
• • Translate complex technical findings into concise risk narratives for non-technical stakeholders, ensuring that security investments are prioritized alongside product features and revenue initiatives.