Principal Security Engineer - Vulnerability Management

About Stitch Fix, Inc.

Stitch Fix (NASDAQ: SFIX) is the leading online personal styling service that helps people discover the styles they will love that fit perfectly so they always look - and feel - their best. Few things are more personal than getting dressed, but finding clothing that fits and looks great can be a challenge. Stitch Fix solves that problem. By pairing expert stylists with best-in-class AI and recommendation algorithms, the company leverages its assortment of exclusive and national brands to meet each client's individual tastes and needs, making it convenient for clients to express their personal style without having to spend hours in stores or sifting through endless choices online. Stitch Fix, which was founded in 2011, is headquartered in San Francisco.

About the Team

We are a team of collaborative, empathetic, and passionate security practitioners with diverse backgrounds and expertise spanning Vulnerability Management, Incident Response, Security Operations, and DevSecOps. Our mission is to prioritize security in everything we do while enabling the business and fostering seamless collaboration with our partners—reducing friction, not creating it.

Our team members have a high degree of autonomy in ensuring Stitch Fix remains secure. The ideal candidate will have strong communication skills and thrive both independently and as part of a highly distributed engineering team.

We’re seeking individuals who prioritize usable security and are passionate about security and automation. As Stitch Fix continues to grow rapidly, our security program must scale alongside it—balancing robust protection with the flexibility to support innovation.

About the Role

At Stitch Fix, we operate in a cloud-first environment and are seeking an Vulnerability Management Engineer to lead security initiatives and own the VM program. This role will focus on Vulnerability management, implementing best practices across infrastructure, network security, and cloud environments, as well as ensuring compliance and policy adherence. This role is part of the Security Team and collaborates closely with Platform and Development teams. The ideal candidate should have extensive experience in Vulnerability Management, container technologies, and deployment and integration patterns within a production AWS environment.

You're excited about this opportunity because you will…

• Collaborate to develop innovative security solutions, leveraging the right tools while contributing to design and architecture across multiple systems. You're eager to expand your expertise and help us integrate new technologies. This is a team where learning is mutual—you’ll learn from us, and we’ll learn from you. Most importantly, you are deeply committed to protecting our clients and employees from threats.

• Work closely with the team to develop effective solutions, leveraging the right tools while contributing to design and architecture across multiple systems. You're eager to expand your expertise and help us integrate new technologies. This is a team where learning is mutual—you’ll learn from us, and we’ll learn from you. Most importantly, you are committed to delivering a seamless and impactful experience.

• Be the first to step in, tackle challenges head-on, and do what it takes to protect and secure our organization.

• Ensure that technology solutions address real business challenges. Your insights are valued by both team members and business partners, who look to you for guidance on how our security initiatives should function. You're not afraid to ask tough questions, challenge assumptions, and engage with customers, stakeholders, and executives to drive meaningful outcomes.

We’re excited about you because…

You have broad skills building, deploying, and maintaining security services in an organization, and serving as the Subject Matter Expert for Vulnerability Management and cloud security. Additionally you have the following experience:

• 6+ years of experience in Security, preferably in an Vulnerability Management or similar role (Code defects, dependencies, containers, risk of exposure and exploitability).

• Experience leading and assisting with Vulnerability remediation, documentation, and leading remediation efforts in close collaboration with the org.

• Proficient with the vulnerability management lifecycle and hands on involvement in orchestrating automated solutions.

• Understanding of common risk, attack techniques, and exploitability such as supply chain attacks.

• Intermediate to advanced knowledge of APT groups, TTPs (Tactics, Techniques, and Procedures).

Cloud & Infrastructure Security:

• AWS experience is required; familiarity and high degree of proficiency with AWS services (e.g., Route53, IAM, Security Groups, SNS, S3, Lambas, CloudWatch, Cloud Trail)

• Hands-on experience with AWS environments, particularly in a security context; familiarity with AWS security services (e.g., Security Hub, GuardDuty, Macie).

• Hands on working knowledge of Infrastructure as Code (IaC) concepts and tools such as Terraform and Docker.

• Understand the use of CI/CD pipelines and their role in a security context.

Security Tools & Logging:

• Experience optimizing and integrating solutions (e.g., Jira, JupiterOne, PaloAlto Prisma).

• Ability to interpret findings based on CVSS and proprietary scoring, and escalate potential security threats and findings to various stakeholders.

Programming & Automation:

• Proficient with scripting languages such as Python, developing automation and security workflows.

• Proficient with infrastructure as code in Terraform, or Pulumi, or Cloud Formation.

Soft Skills & Collaboration:

• Ability to follow established security procedures and lead remediation efforts.

• Strong written communication skills for security documentation and reporting.

• Ability to collaborate with cross-functional teams and assist in security investigations.

Development & Continuous Learning:

• Knowledge of common development practices, tools and how it applies in a security context.

• Eager and willing to learn and develop new skills in security automation and cloud security.

• Have the ability and experience to mentor and develop junior team members, fostering growth within the team.

ABOUT THE TECHNOLOGY

Technologies we rely on to pursue solutions to business problems include:

• CircleCI

• Docker

• Palo Alto Prisma, Cortex

• JupiterOne

• AWS

• Linux/Mac

• ZScaler

• HashiCorp Terraform

• Python

• Github

• Atlassian Tools

• DataDog

• CrowdStrike

Even if you already have experience with these tools, you'll have the chance to get even better with them. And if you don't already use at least a few of these tools, we will help you learn and become effective with them.

Why you'll love working at Stitch Fix...

• We are a group of bright, kind people who are motivated by challenge. We value integrity, innovation and trust. You’ll bring these characteristics to life in everything you do at Stitch Fix.

• We cultivate a community of diverse perspectives— all voices are heard and valued.

• We are an innovative company and leverage our strengths in fashion and tech to disrupt the future of retail.

• We win as a team, commit to our work, and celebrate grit together because we value strong relationships.

• We boldly create the future while keeping equity and sustainability at the center of all that we do.

• We are the owners of our work and are energized by solving problems through a growth mindset lens. We think broadly and creatively through every situation to create meaningful impact.

• We offer comprehensive compensation packages and inclusive health and wellness benefits.

Compensation and Benefits

This role will receive a competitive salary, benefits, and equity. The salary for US-based employees hired into this role will be aligned with the range below, which includes our three geographic areas. A variety of factors are considered when determining someone’s compensation–including a candidate’s professional background, experience, location, and performance. This position is eligible for an annual bonus, and new hire and ongoing grants of restricted stock units, depending on employee and company performance. In addition, the position is eligible for medical, dental, vision, and other benefits. Applicants should apply via our internal or external careers site.

Salary Range
$120,000—$200,000 USD

This link leads to the machine readable files that are made available in response to the federal Transparency in Coverage Rule and includes negotiated service rates and out-of-network allowed amounts between health plans and healthcare providers. The machine-readable files are formatted to allow researchers, regulators, and application developers to more easily access and analyze data.

Please review Stitch Fix's US Applicant Privacy Policy and Notice at Collection here: https://stitchfix.com/careers/workforce-applicant-privacy-policy

Recruiting Fraud Alert:

To all candidates: your personal information and online safety are top of mind for us. At Stitch Fix, recruiters only direct candidates to apply through our official career pages at https://www.stitchfix.com/careers/jobs or https://web.fountain.com/c/stitch-fix.

Recruiters will never request payments, ask for financial account information or sensitive information like social security numbers. If you are unsure if a message is from Stitch Fix, please email [email protected].

You can read more about Recruiting Scam Awareness on our FAQ page here: https://support.stitchfix.com/hc/en-us/articles/1500007169402-Recruiting-Scam-Awareness