Role SummaryYou'll build and own the security infrastructure that keeps Twenty's engineering systems safe without slowing engineers down. This role spans runtime security, access control, secrets management, compliance, and CI/CD hardening - but it's equally about making security the path of least resistance. You'll embed with our engineering teams, design secure-by-default foundations, and build the tooling and automation that lets developers move fast without cutting corners. You'll report directly to the VP of Engineering and operate as a shared function across our product teams.
Who You Are- You believe security should be a force multiplier for engineering, not a gatekeeper.
- You take ownership end-to-end: from identifying a risk to designing the control to shipping the fix.
- You bring high judgment to tradeoffs - you know when to enforce hard controls and when friction kills adoption.
- You communicate clearly with both engineers and non-technical stakeholders, and you translate risk into plain language.
- You prefer automation over policy: if an engineer has to do something manually to stay secure, you see that as a bug.
- You hold a high bar for reliability and auditability in the systems you build.
- You're self-directed and thrive in an environment where the function is new and you're defining it.
What You'll Do- Own runtime security and vulnerability management across cloud and container environments, including triage, prioritization, and remediation tracking.
- Design and enforce identity and access management (IAM) across AWS and internal systems - least-privilege by default.
- Own secrets and credentials management: policies, tooling, rotation, and developer workflows that make doing the right thing easy.
- Lead security incident response: detection, containment, root cause analysis, and durable remediation.
- Manage AWS Organization structure, account boundaries, SCPs, and guardrails.
- Harden and maintain CI/CD pipelines, embedding security scanning and policy enforcement into the software delivery lifecycle.
- Drive compliance efforts - own the evidence, controls, and remediation work to meet and maintain relevant frameworks.
- Build and maintain secure-by-default templates for repos, pipelines, and infrastructure modules.
- Reduce friction through automation: certificate issuance, secrets access, policy-as-code, and developer-facing tooling.
- Produce lightweight, practical security guidance that engineers actually use.
- Shape the direction of the DSO function as it scales, and contribute to hiring and team-building as we grow.
Must Have- 8+ years in DevSecOps, platform security, or a closely related security engineering role.
- Deep hands-on experience with AWS - IAM, SCPs, Organizations, security services (GuardDuty, Security Hub, CloudTrail, etc.).
- Strong IaC experience with Terraform; you've used it to enforce security controls, not just provision infrastructure - and you've layered in policy-as-code tooling (e.g., OPA, Checkov, tfsec) or continuous compliance checks (e.g., AWS Config Rules) to catch drift and misconfigurations.
- Experience owning secrets management end-to-end in a production engineering environment.
- Proven track record designing and hardening CI/CD pipelines (we use GitHub Actions).
- Hands-on experience with container security, including image scanning and runtime controls.
- Experience leading or meaningfully contributing to a compliance program; CMMC Level 2 (or NIST SP 800-171) experience strongly preferred.
- You've run incident response - you've been on call, you've led the post-mortem, and you've shipped the fix.
- Strong communication skills and the ability to drive security adoption through enablement, not mandates.
Nice To Have- Experience growing a DSO or security engineering function - expanding scope, tooling, and team.
- Familiarity with observability tooling and using it for security signal (we use the LGTM stack).
- Background in configuration management tooling (Ansible or similar).
- Experience with developer-facing security platforms or internal tooling that improved engineering workflows.
- Interest in growing into a lead or manager role as the team scales.
Tech Environment (You Might Work With)- Cloud: AWS (primary), Terraform for IaC, Ansible for configuration management
- Containers: Docker, Docker Compose
- CI/CD: GitHub Actions
- Vulnerability scanning: Trivy
- Observability: Grafana, Loki, Tempo, Mimir (LGTM stack)
- Alerting / on-call: PagerDuty
- Languages in use across engineering: Go, TypeScript/Node, React, Python
Security / Work EnvironmentThis role requires eligibility to obtain and maintain a U.S. Government security clearance. This role may involve work in a controlled environment.
Benefits What's on the table:
- Health. Medical, dental, and vision plan options. Life / AD&D, disability coverage options.
- Family. Paid parental leave for eligible full-time employees. 12 weeks for birthing parents, 4 for non-birthing parents, 6 weeks for adoptive, foster, or intended parents through surrogacy.
- Vacation. Paid holidays and flexible PTO. Take what you need.
- Retirement. 401(k) with pre-tax and Roth options. HSA/FSA options, dependent care FSA.
- At the office. Commuter benefits. On-site garage parking. Bike storage. Building fitness center. Desk setup stipend.
Benefits vary by location, role, and eligibility. Full plan details provided during the interview and offer process.
If this role sounds like you, apply and share with us your interest. 
