[Remote] Senior Security Engineer
Note: The job is a remote job and is open to candidates in USA. Included Health is a new kind of healthcare company, delivering integrated virtual care and navigation. They are seeking a Senior Security Engineer who will be responsible for designing, implementing, and automating security controls across their application stack and cloud environments, while also proactively identifying vulnerabilities and developing security solutions.ResponsibilitiesDesign, build, and implement Just-in-Time (JIT) access controls and Privileged Access Management (PAM) workflows to eliminate standing privileged accounts in productionConduct platform permission reviews and implement a least-privilege access model for cloud and application rolesEnsure 100% of production access requests and approvals are captured in audit logsLead the implementation, tuning, and operation of security tools in the CI/CD pipeline, including SAST, DAST, SCA, and secrets scanningDevelop custom SAST rules to detect specific, high-risk flaw patterns, such as authorization bypasses or insecure PII/PHI handlingPartner with engineering to deploy IDE plugins and automated PR checks that block sensitive data exposure before deploymentConduct manual security code reviews for high-risk features and cryptographic implementationsDesign, build, and maintain automation for the end-to-end vulnerability management lifecycleEngineer automated workflows to triage, validate, and assign new vulnerabilitiesDevelop and maintain security automation scripts, tools, and services in Python or Go to streamline security operations and compliance checksPartner with SecOps to build high-fidelity SIEM correlation rules and automated response playbooksDesign, implement, and maintain encryption strategies for data at rest and in transit, ensuring PHI is protected in compliance with HIPAAManage the cryptographic key lifecycle and administer key management systemsDesign and implement secure cloud network architectures (VPCs, subnets, security groups, NACLs) and network segmentation strategiesLead the remediation of cloud security findingsImplement and manage a centralized security control planeDesign and implement Data Loss Prevention (DLP) policies for endpoints and cloud services to protect against sensitive data exfiltrationDesign and enforce security configurations and hardening standards for diverse operating systems (macOS, Windows, Linux) via MDM/UEM platformsManage and tune endpoint security solutions, including EDR/XDR (e.g., CrowdStrike)Lead threat modeling sessions for new features and conduct secure design reviews of system architectures, applications, and APIsAct as an embedded security partner and subject matter expert for product and platform teams, providing technical guidance and mentorshipDevelop and manage security programs for emerging risks, including SaaS security and AI securitySkills6+ years of experience in security engineering, with hands-on expertise in both application security and cloud security (AWS strongly preferred)Strong proficiency in at least one scripting or programming language (Python or Go preferred) for security automationDemonstrable experience in two or more of the following core areas: 1) Application & SDLC Security, specifically with SAST, DAST, and SCA tools (e.g., Semgrep, Snyk, Burp Suite) and CI/CD automation; 2) Security Automation & Engineering using SOAR platforms (e.g., Tines) and Terraform; 3) Cloud Security (AWS/GCP) with a focus on designing secure cloud-native services (VPCs, IAM, WAF, CSPM); 4) Identity & Encryption, including JIT access controls, PAM, and cryptographic key lifecycles; or 5) Endpoint & Data Security utilizing EDR/XDR, DLP, and MDM solutionsExperience securing containerized environments (Docker, Kubernetes)Previous experience in healthcare, fintech, or other highly regulated industriesExcellent communication skills, with the ability to explain complex security risks to both technical and non-technical stakeholdersExperience with mobile application security (iOS/Android)Familiarity with AI security principles and governing LLM usageExperience building or managing a SaaS security (SSPM) programBackground in software development, DevOps, or Site Reliability EngineeringExperience with incident response, threat hunting, and forensicsRelevant security certifications such as: CISSP, GIAC certifications (GWAPT, GPEN, GCIH), AWS Certified Security - Specialty or GCP Professional Cloud Security Engineer, OSCP, CEH, or other offensive security certificationsContributions to open-source security projects or active participation in the security communityBenefitsRemote-first culture401(k) savings plan through FidelityComprehensive medical, vision, and dental coverage through multiple medical plan options (including disability insurance)Paid Time Off ("PTO") and Discretionary Time Off ("DTO")12 weeks of 100% Paid Parental leaveFamily Building & Compassionate Leave: Fertility coverage, $25,000 for surrogacy/adoption, and paid leave for failed treatments, adoption or pregnancies.Work-From-Home reimbursement to support team collaboration home office workCompany OverviewIncluded Health provides a combination of virtual care, navigation, and communities-based healthcare services. It was founded in 2011, and is headquartered in San Francisco, California, USA, with a workforce of 1001-5000 employees. Its website is http://www.includedhealth.com.Company H1B SponsorshipIncluded Health has a track record of offering H1B sponsorships, with 2 in 2026, 12 in 2025, 9 in 2024, 8 in 2023, 6 in 2022. Please note that this does not guarantee sponsorship for this specific role.