Avertra's mission is to Simplify Life — automating complex decision-making for customer-centric industries including Utilities, Financial Services, Logistics, and Commerce, while directly improving the employee and customer experience.
What We Promise You:
- A global family building a sustainable, scalable ecosystem guided by logic and empathy.
- A clearly-scoped, high-impact mandate, ship real controls, not just reports.
- Genuine investment in your growth and mastery of your domain.
The Security Engineer is responsible for building the runtime, detection, and application-security layers that carry Avertra into SOC 2 and PCI DSS 4.0 compliance, partnering with the in-house DevOps team on Avertra’s Azure / AKS platform (TypeScript / React / Node application landscape, including billing and guest-payment flows in PCI scope).
The role owns security design, detections and rules, application-security testing, the vulnerability management program, vendor remediation, and control evidence. DevOps owns the CI/CD pipeline, AKS, and infrastructure execution; a fractional vCISO and GRC platform own the audit itself, this role supplies and maintains the evidence for the controls it builds.
Main Job Responsibilities
- Application Security Testing
- Introduces and tunes DAST against running applications; triages findings and drives fixes.
- Deploys and owns a semantic SAST engine tuned for TypeScript / React / Node; owns the rules, triage, and merge-block policy.
- Detection Engineering & Response
- Builds the detection layer on the SIEM: correlation rules, alerts, and incident playbooks.
- Defines and tunes runtime workload detection in AKS and file-integrity monitoring.
- Owns what is detected and how the organization responds, while DevOps stands up SIEM infrastructure, log shipping, and agent deployment.
- Edge & Network Controls
- Owns the WAF ruleset: tunes the OWASP ruleset, defines exceptions, and confirms Prevention mode and that logs reach the SIEM.
- Vulnerability Management as a Program
- Stands up a vulnerability aggregator: dedups across scanners, assigns owner and risk-based SLA per finding, drives ticketing, and surfaces SLA breaches on a dashboard.
- Defines secret-scanning policy (pre-commit and history sweep) and unifies the release gate across all scanners.
- Assurance & Evidence
- Manages the ASV scan and annual penetration-test vendors; triages results and drives remediation.
- Produces and maintains evidence for owned controls, alongside the vCISO and GRC platform, to support SOC 2 Type II and PCI DSS 4.0 assessments (supports, but does not run, the audit).
Requirements
Needed Competencies
- Technical expertise integrating and tuning security scanners in CI/CD pipelines (Azure DevOps ideal): SAST, DAST, SCA, secrets, IaC.
- Technical expertise in DAST (OWASP ZAP or equivalent) and semantic SAST engines (Semgrep / CodeQL) on TypeScript / React / Node codebases.
- Technical expertise in SIEM detection engineering (Microsoft Sentinel and/or Wazuh / Elastic): writing detections, correlation, alert tuning, and playbooks.
- Technical expertise in Kubernetes / AKS security and runtime detection (Falco / Defender for Containers), network policies, and Pod Security Standards.
- Technical expertise in vulnerability management: aggregation / dedup, risk-based SLAs, and triage (DefectDojo or equivalent).
- Technical expertise in Azure security fundamentals: Defender for Cloud, Entra ID / RBAC, Key Vault, and edge WAF (OWASP ruleset).
- Solid grounding in OWASP Top 10, TLS / PKI, authentication protocols, and API security.
- Strong decision-making capabilities to weigh the relative costs and benefits of controls and prioritize risk-based remediation.
- Ability to produce clean, audit-ready evidence for SOC 2 and/or PCI DSS control requirements (supporting, not running, the audit).
- Builder’s mindset: OSS-first, iterating toward managed services.
- Clear communicator: able to translate risk for engineers and executives, with strong written English and documentation.
- Collaborative: drives secure-by-default practices through the DevOps and engineering teams rather than owning infrastructure directly.
Education
- Bachelor’s on Computer Science, Information Technology, or a related field is recommended as a reasonable default, to be confirmed.
Experience
- 4–7 years in security engineering, DevSecOps, or application security, with hands-on experience building and tuning security controls. Comfortable partnering with DevOps / platform teams rather than owning infrastructure directly.
Knowledge, Skills and Abilities
- Excellent written and spoken English; able to translate risk clearly for both engineers and executives.
- Experience preparing an organization for a first SOC 2 Type II or PCI DSS assessment (nice-to-have).
- Familiarity with GRC / continuous-compliance platforms (Vanta, Drata); policy-as-code (OPA / Conftest); threat modeling (nice-to-have).
- Preference for OSS-first security tooling with a managed Azure-native upgrade path.
- Effective listening and multi-tasking capabilities across concurrent security workstreams.
Preferences
- Certified Kubernetes Security Specialist (CKS)
- Microsoft SC-200
- Microsoft AZ-500
- OSCP
- CEH
- PCI ISA / PCIP
- CISSP / CISM
Travel
Work Schedule
- Monday–Friday, 10:00 AM – 7:00 PM (or as agreed). Hybrid work model, demand-based.