Product Security Engineer

Compensation:
$133,000-$172,000/year depending on years of experience

Role Overview:

As a Product Security Engineer, you will own product security across all Cutsforth offerings, including cloud software, on-prem deployments, embedded systems, and IoT hardware. This role is responsible for defining, implementing, and governing product security controls throughout the full product lifecycle; from device manufacturing and firmware through cloud services, APIs, and customer-facing applications.

Product & Platform Scope:
This role is responsible for product security across:

• Foresight (cloud-hosted, multi-tenant analytics platform)
• Cortex (internal R&D and ML experimentation environment)
• InsightCM (on-prem and hybrid industrial monitoring systems)
• Embedded and low-cost hardware devices, including firmware, device identity, encryption, and secure communications

Key Responsibilities:

• Embed security best practices, such as encryption and authentication, directly into new products as part of the architecture and design process.
• Identify vulnerabilities and security gaps during the design phase to present exploitation.
• Define and enforce secure device architecture, including secure boot, hardware root of trust, device identity, and certificate-based authentication
• Own firmware security, including signing, update mechanisms, rollback protection, and vulnerability remediation
• Design and govern end-to-end encryption strategies spanning device, edge, and cloud
• Establish security requirements for low-cost hardware, balancing risk, cost, and operational constraints
• Conduct threat modeling for embedded systems, IoT protocols, and physical attack surfaces
• Partner with hardware, firmware, and manufacturing vendors to ensure supply-chain security controls
• Own product security incident response, including vulnerability triage, remediation coordination, customer communication, and post-incident reviews
• Manage coordinated vulnerability disclosure and CVE processes where applicable
• Lead Product Lifecycle Management security initiatives from concept throughout development, release and maintenance.
• Conduct product security testing and oversee penetration testing, vulnerability scans and code reviews.
• Define the product security strategic roadmap, goals, priorities, features and align product security with business objectives.

Required Qualifications:

• Successfully pass background check for cybersecurity site access.
• 7-15 years of hands-on cyber security experience within the software development lifecycle, including implementation of security controls, vulnerability management, or cloud security
• Hands on experience with programming languages like Python, Java, C++, or Go.
• Mastery of security tools like Burp Suite, Checkmarx, or SonarQube.
• Security Frameworks – solid understanding of OWASP Top 10, NIST and SOC2 compliance
• Specific familiarity with the NIST SSDF (SP 800-218) standard and experience developing products to meet requirements in this standard
• Experience with Azure
• 7+ years of experience with scripting automation for security tasks using Python
• Practical experience with at least one major SIEM – Splunk
• Strong analytical and problem-solving skills
• Ability to clearly communicate technical risks and recommendations to both technical and non-technical stakeholders.
• Detail orientated with good documentation habits.
• Bachelor’s degree in computer science or cyber security or related field

Preferred Qualifications:

• CompTIASecurity+, CompTIA CYSA+, CompTIA PenTest+ or CEH preferred
• CISSP
• OSCP
• Experience securing embedded systems, IoT devices, or industrial control systems
• Familiarity with device authentication, PKI, and certificate lifecycle management
• Understanding of common IoT protocols (MQTT, HTTPS, AMQP, or similar)

Other Qualifications:

• Successfully pass background check for cybersecurity access requirements.

Cybersecurity Role Expectations:

• Candidate will be responsible for reviewing policies and procedures related to cybersecurity and those relevant to the functions of their role.
• Candidate is expected to maintain a cybersecure work environment.

Physical Requirements:

• Must be able to sit and stand for extended periods of time.
• Must be able to use hands to type, handle products, tools and navigate a computer keyboard.
• Must be able to view computer screen for extended periods of time.
• Specific vision abilities required by this job include close vision and distance vision.