Location: Sunnyvale, CA
Department: Information Security
Reports To: Chief Information Security Officer (CISO)

Role Overview

Proofpoint is seeking a Principal Engineer - Risk Management & Threat Modeling to serve as one of the company's most senior technical leaders for cybersecurity risk and security architecture analysis. This role combines deep technical expertise, strategic business influence, and cross-functional leadership to shape and mature Proofpoint's enterprise cyber risk posture across corporate systems, cloud infrastructure, SaaS products, and AI-powered services.

As a Principal Engineer, you will establish technical direction for cyber risk assessment, threat modeling, and AI risk management capabilities. You will partner closely with Product Security, Engineering, Enterprise Architecture, and executive leadership to identify emerging threats, quantify business risk, and drive secure-by-design outcomes at scale.

This role is highly visible across the organization and requires the ability to translate complex technical and architectural risks into actionable guidance for executives, engineering teams, customers, and board stakeholders. A key focus area will be advancing Proofpoint's security posture for AI-enabled products, agentic systems, and large language model (LLM) integrations while enabling innovation and business growth.

Key Responsibilities

Enterprise Cyber Risk Leadership

• Provide technical leadership for enterprise cyber risk management across corporate, cloud, and product environments.
• Define and evolve data-driven risk assessment methodologies using FAIR, NIST, and ISO frameworks.
• Establish measurable risk metrics, KRIs, and reporting that support executive decision-making.
• Partner with engineering, product, and business stakeholders to drive risk treatment and remediation.
• Serve as a senior technical authority for risk analysis and risk acceptance decisions.

Threat Modeling & Security Architecture

• Lead threat modeling for enterprise platforms, cloud-native architectures, SaaS applications, and customer-facing services.
• Define and scale threat modeling practices using STRIDE, PASTA, MITRE ATT&CK, and related methodologies.
• Identify attack surfaces, trust boundaries, and architectural weaknesses through analysis of distributed systems.
• Partner with Product Security and Engineering to integrate threat modeling into architecture reviews and the SDLC.
• Develop reusable threat models, reference architectures, and security design guidance.

AI & Agentic Security Risk

• Lead security assessments and threat modeling for AI-enabled products, LLM integrations, and agentic workflows.
• Identify attack surfaces, trust boundaries, and threats involving prompt injection, excessive agency, model compromise, training data poisoning, and data exposure.
• Partner with Product Security, Engineering, and Architecture to embed security throughout the AI development lifecycle.
• Evaluate risks associated with AI models, tool integrations, retrieval systems, and agent communications.
• Define measurable security requirements aligned with NIST AI RMF, ISO 42001, OWASP LLM Top 10, and MITRE ATLAS.
• Develop reusable AI security patterns and assessment methodologies that enable secure AI adoption.

Executive & Board-Level Risk Communication

• Develop data-driven, executive-ready risk narratives that clearly communicate technical risk in business terms.
• Support preparation of cyber risk briefings for the CISO, executive leadership team, Board of Directors, and Audit Committee.
• Present threat modeling findings, emerging risks, AI security concerns, and architectural risk trends to senior stakeholders.
• Provide strategic guidance regarding evolving threat landscapes and their potential business impact.

Technical Leadership & Influence

• Drive cybersecurity strategy and technical direction through influence rather than organizational authority.
• Mentor security architects, engineers, and technical leaders across the organization.
• Build scalable programs, frameworks, and repeatable processes that improve measurable security maturity.
• Foster a culture of secure-by-design engineering and data-driven, risk-informed decision making.

Qualifications

Required Qualifications

• Bachelor's degree in Computer Science, Information Security, Engineering, or related field.
• 10+ years of cybersecurity experience in risk management, security architecture, product security, or cloud security.
• Expertise with NIST, FAIR, ISO, and quantitative risk assessment methodologies.
• Experience conducting threat modeling, risk analysis, and security assessments in enterprise and cloud environments.
• Strong understanding of AWS, Azure, GCP, and associated security risks.
• Experience securing AI/ML systems, LLM integrations, or agentic architectures.
• Strong analytical skills with the ability to derive actionable risk insights from technical data.
• Knowledge of MITRE ATT&CK and threat-informed defense methodologies.
• Excellent communication and influence skills across executive and technical audiences.

Preferred Qualifications

• Experience supporting FedRAMP authorization efforts and government compliance programs.
• Experience with AI governance programs and emerging AI security standards.
• Background in product security, application security, or secure software development.
• Experience supporting M&A cybersecurity due diligence and integration activities.
• Experience developing quantitative cyber risk programs using FAIR or similar methodologies.
• Relevant certifications such as CISSP, CRISC, CISM, CCSP, CGEIT, SABSA, or AI-focused security certifications.

Key Success Attributes

• Recognized technical authority in cyber risk management, threat modeling, and risk analytics.
• Strategic thinker who translates technical risk into measurable business impact.
• Strong executive presence with the ability to influence leaders across the organization.
• Data-driven and analytical, using evidence to prioritize risk and drive outcomes.
• Pragmatic and risk-focused, balancing security, innovation, and business agility.
• Effective collaborator who builds alignment through clear communication and partnership.
• Passion for solving complex security challenges in cloud, SaaS, AI, and agentic environments.

Why Proofpoint?

At Proofpoint, we believe that an exceptional career experience includes a comprehensive compensation and benefits package. Here are just a few reasons you'll love working with us:

• Competitive compensation
• Comprehensive benefits
• Career success on your terms
• Flexible work environment
• Annual wellness and community outreach days
• Always on recognition for your contributions
• Global collaboration and networking opportunities

Base Pay Ranges:

SF Bay Area, New York City Metro Area:
Base Pay Range: 200,300.00 - 293,810.00 USD

California (excludes SF Bay Area), Colorado, Connecticut, Illinois, Washington DC Metro, Maryland, Massachusetts, New Jersey, Texas, Washington, Virginia, and Alaska:
Base Pay Range: 167,300.00 - 245,355.00 USD

All other cities and states excluding those listed above:
Base Pay Range: 152,900.00 - 224,235.00 USD