Staff Security Engineer

Bloomreach is building the world’s premier agentic platform for personalization .We’re revolutionizing how businesses connect with their customers, building and deploying AI agents to personalize the entire customer journey. We're taking autonomous search mainstream, making product discovery more intuitive and conversational for customers, and more profitable for businesses. We’re making conversational shopping a reality, connecting every shopper with tailored guidance and product expertise — available on demand, at every touchpoint in their journey. We're designing the future of autonomous marketing , taking the work out of workflows, and reclaiming the creative, strategic, and customer-first work marketers were always meant to do. And we're building all of that on the intelligence of a single AI engine — Loomi AI — so that personalization isn't only autonomous…it's also consistent.From retail to financial services, hospitality to gaming, businesses use Bloomreach to drive higher growth and lasting loyalty. We power personalization for more than 1,400 global brands, including American Eagle, Sonepar, and Pandora. The Staff Security Engineer owns current and target-state data architectures and reporting while also designing, implementing, and monitoring cloud (AWS/GCP) infrastructure security controls; deploying, securing, configuring, and operating SIEM and other security resources; identifying, triaging, and remediating infrastructure and web vulnerabilities; leading incident triage and external-researcher engagement; and mentoring junior staff. Your salary starts from €4000 gross per month with restricted stock units and other benefits included. You can work in one of our Central Europe offices (Bratislava, Brno, Prague) or from home in Central and Eastern Europe on a full-time basis. Role summary and core responsibilities 6+ years of relevant experience; candidates must demonstrate proficiency in cloud security, network security, URL filtering, common security frameworks, and CVE lifecycle management; practical IaC and scripting for automation; strong cross-functional and external communication; and experience mentoring junior staff. Technical Skills: Hands-on cloud security for AWS and GCP : design secure architectures, perform threat modeling, apply platform-native controls, and build/validate secure IaC. SIEM ownership and detection engineering : deploy, configure, tune, and maintain SIEM; author and test detection rules and playbooks; integrate data sources; and operate with SLA-driven alerting and incident workflows. Vulnerability and incident lifecycle ownership : identify, triage, and remediate infrastructure and web vulnerabilities Drive CVE lifecycle management and patching : perform root cause analysis and measure MTTR and remediation rates. Network, web, and endpoint protections : design and manage firewalls, WAFs, cloud network controls, URL/web filtering, with demonstrable operational experience. Secure automation and tooling : author automation for detection, alert enrichment, and remediation; build or extend security tooling using scripting or languages such as Python, Go, or Bash. Infrastructure as code and secure CI pipelines : implement guardrails and policy-as-code in CI/CD pipelines, perform static IaC scanning, and enforce security baselines before deployment. Detection, telemetry, and observability : define logging and telemetry requirements, ensure coverage for critical assets, and validate detection efficacy and alert fidelity. Security standards, playbooks, and enforcement : develop, document, and operationalize organization-wide security standards, runbooks, and playbooks; partner with engineering pillars to ensure adoption. Threat-informed defensive engineering : apply threat modeling and adversary-focused testing to guide controls, detection, and resilient designs. Cross-functional and external communication : communicate clearly with engineering teams, leaders ... (truncated, view full listing at source)