All open rolesEngineering

Staff Security Engineer

Jessup, PA · Seattle, WA · Remote|Full-Time

Own security at Riivet end to end: product, infrastructure, data, and compliance. First dedicated security hire reporting to the founder.

About the role

Riivet handles sensitive insurance claim data for restoration contractors, and our customers will increasingly ask us hard security questions. As the first dedicated security hire, you will set the strategy and ship the work yourself — product hardening, data protection, pentest coordination, vulnerability management, and the controls that get us a clean SOC 2 Type II report. You will partner closely with engineering, run our relationship with external auditors and pentesters, and own the answer when a prospect's security team sends a 300-question questionnaire.

What you'll do

  • Own application and product security across the Next.js web app, Cloudflare Worker, and mobile clients
  • Harden our Supabase and Postgres layer — RLS policy review, tenant isolation testing, secrets hygiene
  • Run and respond to penetration tests, bug bounties, and vulnerability scans; drive remediation to close
  • Own SOC 2 Type II readiness: controls, evidence collection, policy upkeep, auditor coordination
  • Lead threat modeling on new features and build security into our development lifecycle
  • Own incident response: on-call rotation, playbooks, post-mortems, and customer communication
  • Handle inbound security questionnaires and procurement reviews with enterprise prospects
  • Set and enforce our secrets rotation, access control, and vendor security review cadence

What we're looking for

  • 7+ years in security engineering, with real depth in application and cloud security
  • Strong hands-on coding ability — you can read a TypeScript codebase and send a pull request, not just file a ticket
  • Experience taking a SaaS product through SOC 2 Type II (or ISO 27001) as a practitioner, not a consultant
  • Working knowledge of Postgres RLS, JWT-based auth, and common SaaS multi-tenant pitfalls
  • Track record of running a pentest program and resolving findings end to end
  • Clear written communication — you can explain a threat model to an engineer and a risk to a buyer

Nice to have

  • Direct experience with Supabase, Cloudflare Workers, or edge runtimes
  • Background in handling regulated data (insurance, healthcare, finance)
  • OSCP, CISSP, or equivalent certifications
  • Experience building out an internal security program from zero
  • Comfortable presenting to prospect CISOs and security teams on sales calls

What we offer

  • Meaningful equity
  • Competitive senior-engineer salary
  • Health, dental, and vision coverage
  • Budget for certifications, training, and tooling of your choice
  • Remote work with team weeks in Jessup, PA and Seattle, WA
  • Full ownership of a function that will define whether we win enterprise deals

Apply for this role

Your application goes directly to the founder.

By submitting, you agree to our Privacy Policy.