Job Family:
Cyber Engineering (CYS)
Travel Required:
Up to 10%
Clearance Required:
None
What You Will Do:
We are hiring a senior engineer to maintain and extend a large full-stack Governance, Risk, and Compliance platform. The product is not a simple scanner wrapper. The current codebase includes a substantial FastAPI backend, a React/TypeScript frontend, a PostgreSQL data model, an async worker system, scanner integrations, an AI provider abstraction, a compliance framework catalog, audit/reporting workflows, and local/cloud deployment infrastructure.
The ideal candidate can work confidently across backend services, frontend workflows, database migrations, security controls, AI-assisted analysis, scanner ingestion, and production operations.
- Maintain and extend a FastAPI backend with hundreds of registered API routes.
- Build and refine React/TypeScript product workflows across a large frontend surface.
- Design and maintain SQLAlchemy models, Alembic migrations, PostgreSQL queries, and data integrity rules.
- Support scanner integrations, finding normalization, deduplication, evidence workflows, and compliance mapping.
- Maintain AI-assisted features through a centralized provider abstraction rather than direct calls to providers.
- Work across GRC workflows including findings, evidence, SSPs, POA&Ms, RMF, FedRAMP/FISMA, SCRM, ZTA, ISCM, risk acceptance, and reporting.
- Keep local development and test environments healthy using Docker Compose, Redis, PostgreSQL, worker queues, Ollama, observability services, and frontend tooling.
- Maintain quality gates including linting, type checking, OpenAPI drift checks, migration safety, SDK drift, architecture boundaries, and test suites.
- Debug issues across frontend state, API contracts, database state, workers, scanner output, generated SDKs, and deployment configuration.
- Treat documentation as helpful but secondary to the codebase; validate assumptions against source, tests, migrations, and running behavior.
What You Will Need:
- Minimum of SIX (6) years�9 experience with Python backend development.
- Strong FastAPI, Pydantic, SQLAlchemy, Alembic, async Python, and pytest experience.
- Strong React, TypeScript, Vite, React Router, React Query, and component architecture experience.
- PostgreSQL experience, including schema design, migrations, indexes, JSON/JSONB, and relational integrity.
- Experience maintaining large API surfaces and generated frontend API clients.
- Experience with background jobs or async workers using Redis-backed queues.
- Strong security engineering fundamentals: authentication, authorization, RBAC, audit logs, secret handling, dependency risk, and input validation.
- Ability to diagnose source-of-truth issues when documentation, generated code, database schema, and runtime behavior disagree.
Security/GRC Domain Skills To Include
- Vulnerability findings and remediation workflows.
- Evidence collection and evidence sufficiency.
- SSPs, POA&Ms, control mappings, audit packages, and risk acceptance.
- NIST 800-53, RMF, FedRAMP/FISMA, CMMC, SCRM, ZTA, ISCM, and related compliance concepts.
- Scanner output from tools such as cloud security scanners, vulnerability scanners, SAST/IaC tools, secret scanners, identity/M365 scanners, and web security scanners.
- Provenance, auditability, and defensibility requirements for regulated workflows.
AI/LLM Product Skills To Include
- Experience building AI-assisted product features, preferably in security, compliance, document review, or workflow automation.
- Understanding of RAG, embeddings, document extraction, prompt/context design, and evidence citation.
- Ability to enforce scoped context, provenance, guardrails, and human-review boundaries.
- Comfort maintaining provider abstractions across local and cloud AI providers.
Infrastructure And Operations Skills To Include
- Docker Compose for local development.
- AWS-style production operations: containers, managed databases, caches, object storage, CDN, IAM, logs, and deployment pipelines.
- Terraform or similar infrastructure-as-code experience.
- CI/CD debugging and release discipline.
- Observability, logs, health checks, and operational runbooks.
What Would Be Nice To Have:
- Prior experience with GRC, audit automation, security consulting tools, vulnerability management, FedRAMP/FISMA, or SSP/POA&M workflows.
- Experience with generated OpenAPI SDKs.
- Experience producing PDF, Excel, DOCX, PowerPoint, or audit package exports.
- Experience with immutable audit logs, provenance chains, multi-tenant permissions, or evidence workflows.
The annual salary range for this position is $86,500.00-$129,900.00. Compensation decisions depend on a wide range of factors, including but not limited to skill sets, experience and training, security clearances, licensure and certifications, and other business and organizational needs.
What We Offer:
Guidehouse offers a comprehensive, total rewards package that includes competitive compensation and a flexible benefits package that reflects our commitment to creating a diverse and supportive workplace.
Benefits include:
Medical, Rx, Dental & Vision Insurance
Personal and Family Sick Time & Company Paid Holidays
Parental Leave
401(k) Retirement Plan
Group Term Life and Travel Assistance
Voluntary Life and AD&D Insurance
Health Savings Account, Health Care & Dependent Care Flexible Spending Accounts
Transit and Parking Commuter Benefits
Short-Term & Long-Term Disability
Tuition Reimbursement, Personal Development, Certifications & Learning Opportunities
Employee Referral Program
Corporate Sponsored Events & Community Outreach
Care.com annual membership
Employee Assistance Program
Supplemental Benefits via Corestream (Critical Care, Hospital Indemnity, Accident Insurance, Legal Assistance and ID theft protection, etc.)
Position may be eligible for a discretionary variable incentive bonus
