We are seeking a scrappy, high-ownership Staff Site Reliability Engineer (SRE) to join our lean, fast-moving SRE team. This is a security-focused engineering role rather than a policy or audit one. You'll write code, build automation, integrate scanners into CI/CD, ship Terraform modules the rest of the team can adopt, and drive Dependabot triage with engineering teams. Together, you'll define what "secure by default" actually looks like in our GCP environment and GitHub organization, then make it operational. **Why This Role** - **A clear charter with a foundation to build on.** Cloud security posture, vulnerability/dependency management, and security solution engineering are yours. The pieces exist (scanners, IAM controls, edge protections, GitHub baselines), but no one has stitched them into a coherent program. You will. - **Build the program, then scale it through the team.** You're shipping security tooling, automation, and IaC modules the rest of SRE can run. The work scales through the team rather than centralizing on one person. - **Real platform surface area.** You're working across GKE workloads, Istio mesh, Cloud Armor, Cloudflare edge, GitHub Actions supply chain, and GCP IAM. The kind of stack with enough surface area that you can make a measurable impact in your first quarter. - **High-signal moment in the industry.** Post-Shai-Hulud, post-XZ, post-everything: CI/CD supply chain hardening, secret management, and short-lived credentials are no longer aspirational. You'll be implementing security best practices, not just documenting them. **What You'll Build** **Cloud Security Posture Management** - Assess and harden Stord's GCP footprint (GKE, IAM, Cloud Armor), and codify the baseline in Terraform and policy-as-code where it makes sense. - Build continuous posture monitoring against that baseline, with a published gap list and remediation schedule. - Drive the evaluation, integration, and rollout of new security tooling as the program matures. You'll lead the conversations and recommendations on what we adopt, what we build in-house, and what we sunset. **Vulnerability and Dependency Management** - Establish and automate the vulnerability and dependency remediation workflow across engineering teams: triage cadence, ownership model, severity-based SLAs, and the tracking infrastructure that drives closure. - Own Dependabot configuration and triage workflows across our GitHub organization, plus secret scanning, push protection, and response workflows for any secrets that surface. - Build supply-chain controls into CI/CD: provenance, dependency review, lockfile policies, build attestation where it pays off. - Wire container image scanning and DAST/network scanning programs into the same workflow so vulnerabilities don't slip through the cracks between layers. **Security Solutions Engineering** - Build security capabilities that the broader SRE team can run as part of their normal operating model: Terraform modules, Cloud Armor rules, Istio authorization policies, Cloudflare configuration, scanner pipelines, and custom automation that fills gaps in off-the-shelf tooling. - Ship documentation, runbooks, and self-service tooling that make your designs portable to the rest of the team, so the program continues to function smoothly through handoffs and rotations. - Set the engineering bar for security work inside SRE: code review standards, IaC patterns, "secure by default" templates for new services. - Partner cross-functionally with engineering teams on app security questions, IT on identity and endpoint boundaries, and IT/compliance on occasional SOC 2 evidence pulls, without owning those domains. **What We're Looking For** **Required** - **Deep GCP and GKE security experience.** You've hardened production Kubernetes on GCP: workload identity, RBAC, network policies, Pod Security Standards, image provenance. You know where the sharp edges are and which knobs actually matter. - **Dependabot and secret scanning at scale.** Hands-on with Dependabot configuration, triage workflows, and remediation tracking. Comfortable rolling out GitHub secret scanning organization-wide, including push protection and response workflows for found secrets. - **CI/CD supply chain hardening.** You've designed or operated controls against the threat model that produced Shai-Hulud, XZ, and SolarWinds. Familiar with SLSA, provenance, sigstore, and the trade-offs between rigor and developer friction. - **Cloud security posture management in practice.** You've stood up CSPM (built-in, commercial, or open source), defined a baseline, and driven remediation, with an eye for separating real signal from dashboard noise. - **Infrastructure-as-code and automation fluency.** Comfortable with Terraform for cloud resources and writing code (Python, Go, shell, or similar) to automate security workflows, integrate tools, and build in-house capabilities when off-the-shelf options fall short. - **Systems-level technical fluency.** You can reason about how the platform pieces fit together (GKE workloads, networking, edge, CI/CD) and debug security-relevant infrastructure problems alongside the broader SRE team. - **Track record of designing for operability.** You've shipped tools and workflows that other engineers actually adopt and rely on day-to-day. **Required Soft Skills** - **Ownership & Accountability.** You own features end-to-end and take pride in what you ship. You follow through from design to production and don't drop things. - **Strong Communication.** You can explain technical decisions and trade-offs to engineers, PMs, and stakeholders. You ask good questions and listen well. - **Collaborative Approach.** You work well with others, give constructive code review feedback, and actively seek input from teammates. - **Production Mindset.** You prioritize reliability and user impact. You think about failure modes, monitoring, and operational concerns as part of your design process. - **Learning Agility.** You're comfortable with rapidly evolving AI/ML technologies and tools. You stay current without chasing hype. - **Directed AI-Assisted Development.** You know how to use AI coding tools as a productivity multiplier while maintaining quality and your own technical judgment. **Strongly Preferred** - **Container and image scanning.** Production experience integrating image scanners into CI/CD and registry workflows, with thoughtful handling of vulnerability data freshness and triage. - **DAST and network scanning programs.** OWASP ZAP, nmap, or commercial equivalents, built into a repeatable internal audit cadence rather than one-off exercises. - **Cloudflare edge security.** WAF rules, rate limiting, bot management, and how that fits with origin-side Cloud Armor. - **Detection engineering on GCP.** Log Explorer, BigQuery-backed security analytics, and alert tuning that keeps the on-call experience humane. **Nice to Have** - Prior experience standing up a security program inside an SRE or platform team, taking partial foundations and making them coherent. - Familiarity with the current supply-chain threat landscape and recent CISA guidance (post-Shai-Hulud token guidance, M-22-18 / SSDF, etc.). - Contributions to open-source security tooling or published security research. **What Success Looks Like** - **30 days:** You've ramped on Stord's GCP footprint, GitHub configuration, and existing security tooling. You've identified the top three posture gaps and the top three CI/CD supply chain risks, and you've socialized them with SRE leadership. - **90 days:** The vulnerability and dependency remediation workflow is live with at least one engineering team as a pilot, including triage cadence, ownership model, and remediation tracking against documented SLAs. - **6-12 months:** The remediation workflow is rolled out across engineering. A documented cloud security posture baseline exists, with a prioritized gap list under active remediation on a published schedule. The broader SRE team is operating security tooling you designed without you being in the loop on every alert.