Staff Security Engineer

About Buildkite At Buildkite, our mission is to unblock every developer on the planet. We’ve rethought how software delivery should work and have built a platform that is fast, reliable, secure, and able to scale to the needs of the most demanding high-growth tech companies globally including Airbnb, Canva, Shopify, PagerDuty, and Lyft. Job Overview This is a new position on a small, high-trust Security team, created to expand our capabilities in two specific areas: Application Security and Adversarial Testing. If you're someone who wants to build these functions rather than inherit them, and get your hands into a technically complex environment from day one, this is the opportunity. The scope for adversarial testing is the entire Buildkite environment — no guardrails on what you're allowed to probe, and plenty of interesting surface area to work with. Buildkite is also investing heavily in AI, which creates an immediate opportunity to build and test AI-powered security systems from the ground up. It's an active area with real work to do, and you'd be shaping how Buildkite approaches it. You'll report to the Head/Principal Security Engineer and work closely with the CTO, the Platform team, the Pipelines team, and the Office of CTO Principals. Security here operates as an enabling and educational function — not the team that says no. The expectation is that you'll collaborate across engineering, investigate under rocks, and help the rest of the company understand and improve its security posture rather than just gate it. 🚀 What You’ll Do Lead Application Security testing projects — most likely AI-assisted — and drive remediation of identified vulnerabilities Design and run adversarial testing campaigns across the full Buildkite environment Build automation for both AppSec and adversarial testing workflows Contribute to AI security: implementing security controls on existing AI systems and evaluating AI-based security tooling Work across teams to embed security thinking into engineering, not bolt it on afterward Help shape Buildkite's security posture as the team grows and the roadmap matures What Success Looks Like 6 Months Meaningful adversarial attacks run against Buildkite, with documented results AppSec vulnerabilities identified and remediated Automation built for both functions — not just processes documented 1 Year AI-driven real-time application vulnerability management in place Real-time adversarial testing, powered by AI, running continuously Security function is materially stronger than when you joined 🎨 What You Bring 5–7 years in security roles with a genuine offensive or AppSec focus Industry-relevant certifications (OSCP or equivalent) — or equivalent demonstrated capability Experience securing AWS and cloud-native environments SaaS application security experience Ruby or Go (you don't need to be a senior engineer, but you need to be able to read, write, and reason about code) Kubernetes and containers experience Nice to have Involvement in the hacking community — conferences, CTFs, published research, and responsible disclosure history Experience building security tooling from scratch rather than just operating existing stacks Hands-on work with AI systems from a security perspective Background at SaaS companies, all-remote companies, or engineering-focused organisations ✨ Why Join Buildkite At Buildkite, we value kindness, autonomy, and collaboration. You'll be joining a remote-first company where your work directly helps some of the world's best engineering teams build and ship software faster and more safely. Competitive compensation and benefits package Flexible, remote-first culture Meaningful technical challenges at scale Opportunities for professional growth, technical leadership, and cross-team influence A collaborative, inclusive, and innovative culture where your ideas make a real impact 🌈 Equal Opportunity Employer At Buildkite, we value diversity and cel ... (truncated, view full listing at source)