Staff Product Security Engineer

The role in a nutshell:

You are a deeply technical engineer who gets restless when pipelines aren't locked down. You care about shipping secure software! At Chainguard, you won't be a gate at the end of the process; you'll be embedded in it.

This is an individual-contributor Staff role. That means technical leadership, cross-team influence, and owning hard problems.

What you'll do:

Build & Harden Secure Pipelines

• Design, build, and maintain secure CI/CD pipelines with security gates that catch issues before they reach production.
• Systematically, consistently and automatically capture the risk exposure of Chainguards products.
• Implement and enforce software supply chain security controls: signed artifacts, SBOMs, provenance attestation (SLSA, Sigstore / Cosign).
• Proactively identify emerging customer security needs, and build solutions to meet these.

Cloud-Native Product Hardening

• Lead security architecture reviews and threat models for Kubernetes-based workloads running on GCP and AWS.
• Harden container images, Kubernetes cluster configurations, and cloud IAM postures — minimising attack surface across our product stack.
• Define and drive adoption of baseline security standards: pod security standards, network policies, workload identity, secrets management.
• Evaluate and operationalise CNAPP / CSPM tooling to maintain continuous visibility into cloud-native risk.

What we're looking for:

Required

• 7+ years in software engineering, security engineering, or a combined role with meaningful hands-on security responsibility throughout.
• Strong proficiency in Go or Python, with the ability to write, review, and debug production-quality code.
• Deep, hands-on experience with Kubernetes in production (cluster hardening, RBAC, network policies, admission controllers).
• Practical expertise with GCP and/or AWS: IAM, workload identity, secrets management, security services (e.g., GCP Security Command Center, AWS Security Hub).
• Proven track record designing and securing CI/CD pipelines (GitHub Actions, Cloud Build, Tekton, or similar).
• Fluency with container security: image scanning, distroless/minimal base images, runtime security.
• Experience with software supply chain security tooling and frameworks (Sigstore, SLSA, SBOM generation).
• Solid understanding of OWASP, NIST, and cloud security frameworks and how to apply them pragmatically.

Nice to Have

• Familiarity with Chainguard Images or other minimal/hardened container base image ecosystems.
• Experience with policy-as-code tools (OPA, Kyverno, Conftest).
• Contributions to open source security projects.