Information Security Engineer

Workstream is a mission-driven company building the all-in-one HR, payroll, and hiring platform for managing the hourly workforce. There are 2.7 billion hourly workers, making up 80% of the global workforce, but this market has been heavily underserved by technology and deserves better. Workstream has been purpose-built for the hourly workforce from day one so that these businesses and their employees can thrive.

Our customers include leading brands from multiple sectors, including Burger King, Carl's Jr./Hardee's, IHOP, KFC, and Culvers. We are a high growth series B company and quickly expanding our product portfolio to deliver on our vision. We are backed by legendary VCs and industry experts like Founders Fund, BOND, and Coatue.

Grow With Us

We are seeking a Security Engineer who is, at heart, a builder. In this role, you won't just be running scans or writing policies; you will be writing code, fixing vulnerabilities, and architecting secure infrastructure alongside our engineering teams.

You will act as the primary "Blue Team" lead, defending Workstream against threats while collaborating with external Red Team communities to stay sharp. Your scope is holistic: you will cover Application Security, Infrastructure Security, and Corporate Security, ensuring that security is baked into our DNA, not bolted on at the end.

This is a full-time, office-based role requiring presence 5 days a week to foster close collaboration with cross-functional teams — Monday, Tuesday, and Friday at the Menlo office, and Wednesday and Thursday at the San Francisco office.

Day in the Life

Application Security (AppSec)

• Embed yourself in the software development lifecycle (SDLC). Perform code reviews and architectural analysis for new features in Node.js and Ruby on Rails.

• Work side-by-side with software engineers to locate, triage, and fix security vulnerabilities (e.g., XSS, SQLi, IDOR) directly in the codebase.

• Build and maintain automated security tooling (SAST/DAST) in our CI/CD pipelines.

• Secure AI/ML integrations and APIs, including protection against prompt injection, model poisoning, and data exfiltration through AI interfaces

• Review and secure implementations of large language models (LLMs) and other AI services used in the platform

Infrastructure & Cloud Security

• Harden our cloud infrastructure (AWS/GCP/Azure) using Infrastructure-as-Code (Terraform/CloudFormation).

• Design and implement secure networking, IAM policies, and container security (Kubernetes/Docker).

• Monitor system logs and alerts to detect and respond to anomalies in real-time.

Blue Teaming & Incident Response

• Act as the internal Blue Team lead. Collaborate with external Red Teams and bug bounty researchers to understand the latest attack vectors.

• Translate Red Team findings into concrete engineering tasks and defensive measures.

• Lead incident response simulations (Tabletops) and actual response efforts during security events.

Corporate Security

• Oversee internal company security posture, including endpoint protection, identity management (Okta/SSO), and zero-trust networking access.

• Conduct security training for employees to foster a culture of security awareness.

• Design security architecture supporting multi-state and multi-jurisdiction data residency requirements

• Collaborate with legal and other teams on data breach notification procedures and requirements across multiple jurisdictions

• Maintain security documentation for SOC 2 Type II audits and other compliance frameworks

Who You Are

Technical Qualifications

• Engineering Background: You have a strong background in software engineering. You are comfortable reading and writing production-level code, specifically in Node.js and Ruby on Rails.

• Holistic Security Experience: 3+ years of experience covering the "Security Trinity": Software Security, Infrastructure Security, and Corporate/IT Security. Experience in SaaS, fintech, or HR technology environments strongly preferred.

• Vulnerability Remediation: Proven track record of not just finding bugs, but working with engineers to solve them. You understand how to implement fixes without breaking functionality.

• Cloud Native: Deep experience securing modern cloud environments (AWS preferred) and containerized applications.

• HR/Payroll Security Understanding: Familiarity with security challenges specific to HR and payroll systems, including protection of sensitive employee data (PII, SSN, wage information), multi-tenant architecture security, and regulatory compliance requirements for employment data.

• AI/ML Security: Understanding of AI security principles including model security, training data protection, prompt injection vulnerabilities, AI-powered threat detection, and emerging AI-specific attack vectors. Familiarity with AI governance frameworks and responsible AI practices.

Collaborative & Mindset

• Red Team Aware, Blue Team Focused: You actively follow Red Team communities (CTFs, DefCon, Bug Bounties) to understand the attacker mindset, but your passion lies in building the defense (Blue Team) to stop them.

• Empathy for Engineers: You understand that "perfect security" shouldn't destroy developer velocity. You focus on guardrails, not gates.

• Communication: Ability to explain complex security risks to non-technical stakeholders and provide clear technical guidance to developers.

Bonus Points

• Active participation in Bug Bounty programs or CTF competitions.

• Experience with compliance frameworks (SOC 2, ISO 27001, HIPAA).

• Certifications such as OSCP (Offensive Security Certified Professional) or CISSP.

• Experience securing Open APIs.

• Experience with multi-tenant SaaS security architecture

• Background in fintech, HR technology, or payroll systems security

• Familiarity with state-specific data residency and privacy requirements

• Knowledge of AI security frameworks

• Understanding of AI bias, fairness, and discrimination issues in employment contexts

What We Offer

• A mission-driven and value-based company dedicated to empower deskless workers and local businesses

• An early employee opportunity at a Series B hyper-growth startup; work with the founding team and industry veterans to accelerate your career

• Competitive salary and equity

• Comprehensive health coverage: medical, dental, and vision. We pay 95% of your premiums for our employees and 85% for dependents

• In office amenities and stocked kitchen

• 401K Plan

• Pre-tax commuter benefits

• Learning/development stipend

• Flexible PTO

Salary Range

In compliance with the California Pay Transparency Law, the base salary range for this role is between $150,000 - $180,000 in San Francisco. This range is not inclusive of our discretionary bonus or equity package. When determining a candidate’s compensation, we consider a number of factors including skillset, experience, job scope, and current market data.

Know More About Workstream

• https://www.workstream.us/blog/funding-series-b

• https://techcrunch.com/2021/08/26/workstreams-text-based-recruitment-tool-gets-a-48m-bet-from-bond-and-beyond/

• https://techbuzz.news/buzzworthy-august-27-2021/

Additional Information

Workstream provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.

We are committed to the full inclusion of all qualified individuals.