Staff Security Engineer - Product Security

Back to jobs Staff Security Engineer - Product Security South San Francisco, California, USA Apply About You and The Role Zipline builds and operates fleets of delivery drones to get medicine to those who need it, fast, regardless of where they live. To power this, the software team is building out the long term scalable solutions to expand rapidly while empowering our world class distribution centers to serve their customers as fast as possible. Zipline's security problems aren't "website got pwned" problems (though those exist too). They're "real-world autonomy + robotics + global operations + cloud software + regulated/health-adjacent workflows" problems. You'll partner deeply with software, infrastructure, and (where relevant) embedded/autonomy teams to reduce real risk in real systems. We have a large attack surface Our ideal candidate works well in startup environments, wears many hats, and collaborates across engineering disciplines. You'll join a small, high-ownership security team with significant influence over how we scale. A note on our modern reality and agentic tooling: Engineering teams are increasingly adopting LLM copilots and agentic tools to move faster. That's useful, until an "assistant" becomes an unmonitored automation path to secrets, sensitive data, or privileged actions. (

Think:

"obedient intern with production credentials.") Industry guidance is converging on practical frameworks like the NIST AI Risk Management Framework (including a profile for generative AI) and the OWASP Top 10 for LLM Applications, which explicitly calls out risks like prompt injection, insecure plugin design, and excessive agency. In this role, you'll help Zipline safely leverage these tools while containing them so they don't quietly "rewrite the threat model". This is a Hybrid onsite role - you will frequently have conversations in person at our HQ in South San Francisco. What You'll Do Own security outcomes for critical parts of Zipline's application and cloud ecosystem (not by writing policy docs that no one reads, but by shipping controls and enabling teams). Partner with engineering teams on secure architecture, threat modeling, and design reviews for services that must be correct, reliable, and defensible under real-world operational pressure. Help us build and scale a pragmatic secure

SDLC - CI/CD

hardening, dependency/supply-chain controls, secrets management, and code review patterns that don't slow teams down.

Improve cloud security posture end-to-end:

IAM and least privilege, network/service-to-service trust, key management, logging/telemetry, runtime detection, and incident-ready auditability. Drive vulnerability management that actually closes risk: triage, exploitability analysis, remediation partnerships, and verification. Help build and exercise incident response: playbooks, tabletop exercises, logging requirements, and "know it happened / know what changed" operational discipline. Support data classification and access control models aligned to how Zipline operates (including partner/customer interfaces and global operations). Support external penetration tests and turn results into durable improvements, not whack‑a‑mole patches. Contribute to security compliance efforts (e.g., SOC 2 / ISO 27001) in a way that strengthens engineering Secure AI-assisted and agentic engineering workflows (this is explicitly part of the job): define safe patterns for copilots/LLM tools used in development and ops implement guardrails for sensitive data exposure and output handling prevent "agentic overreach" (over‑privileged tools, unsafe tool-calling, silent action-taking) build monitoring/auditing around AI tool use where it matters What You'll Bring 8+ years of experience designing, building, and operating security controls for large-scale production systems (application, cloud, and infrastructure security). Strong security engineering chops with evidence you can reduce risk in production systems (not just talk about it). Hands-on ability to write and ship code/tools in Python, Go, or similar (you're expected to build, not just review). Practical experience securing microservice architectures and modern cloud stacks (containers/Kubernetes, IAM, CI/CD, secrets, logging). Comfort operating as a technical leader without authority: you can persuade, teach, and unblock - not police.

A skeptical mindset:

you naturally ask "what's the failure mode?" and "how will this be abused?" before shipping changes. Familiarity with the security failure modes of LLM-enabled systems (or the willingness to learn fast), including risks called out by OWASP such as prompt injection, insecure output handling, insecure plugin design, and excessive agency. Nice To Haves Experience spanning multiple engineering domains (web app + cloud infra + embedded/robotics/autonomy). Experience building developer-friendly security platforms (internal libraries, paved roads, CI integrations, Public Key Infrastructure). Track record of being an effective security "evangelist" (i.e., enabling good behavior with good tools and defaults, not fear). Experience designing guardrails for internal AI/agent usage (policy + technical controls + auditing), especially in environments where safety and reliability are non-negotiable. Deep understanding of distributed systems and how failures actually happen (partial outages, weird retries, cascading dependencies, misconfigurations, permissions drift). What Else to Know This will be an in-office or hybrid role based out of our South San Francisco HQs. The starting cash range for this role is $230,000 - $275,000; please note that this is a target, starting cash range for a candidate who meets the minimum qualifications for this role. We are always open to negotiation. The final cash pay for this role will depend on a variety of factors, including a specific candidate's experience, qualifications, skills, working location, and projected impact. The total compensation package for this role may also include: equity compensation; overtime pay; discretionary annual or performance bonuses; sales incentives; benefits such as medical, dental and vision insurance; paid time off; and more. Zipline is an equal opportunity employer and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws or our own sensibilities. We value diversity at Zipline and welcome applications from those who are traditionally underrepresented in tech. If you like the sound of this position but are not sure if you are the perfect fit, please apply. Apply for this job

• indicates a required field First Name
• Last Name
• Email
• Phone Country Phone 244 results found No results found Afghanistan +93 Åland Islands +358 Albania +355 Algeria +213 American Samoa +1 Andorra +376 Angola +244 Anguilla +1 Antigua & Barbuda +1 Argentina +54 Armenia +374 Aruba +297 Ascension Island +247 Australia +61 Austria +43 Azerbaijan +994 Bahamas +1 Bahrain +973 Bangladesh +880 Barbados +1 Belarus +375 Belgium +32 Belize +501 Benin +229 Bermuda +1 Bhutan +975 Bolivia +591 Bosnia & Herzegovina +387 Botswana +267 Brazil +55 British Indian Ocean Territory +246 British Virgin Islands +1 Brunei +673 Bulgaria +359 Burkina Faso +226 Burundi +257 Cambodia +855 Cameroon +237 Canada +1 Cape Verde +238 Caribbean Netherlands +599 Cayman Islands +1 Central African Republic +236 Chad +235 Chile +56 China +86 Christmas Island +61 Cocos (Keeling) Islands +61 Colombia +57 Comoros +269 Congo - Brazzaville +242 Congo - Kinshasa +243 Cook Islands +682 Costa Rica +506 Côte d'Ivoire +225 Croatia +385 Cuba +53 Curaçao +599 Cyprus +357 Czechia +420 Denmark +45 Djibouti +253 Dominica +1 Dominican Republic +1 Ecuador +593 Egypt +20 El Salvador +503 Equatorial Guinea +240 Eritrea +291 Estonia +372 Eswatini +268 Ethiopia +251 Falkland Islands +500 Faroe Islands +298 Fiji +679 Finland +358 France +33 French Guiana +594 French Polynesia +689 Gabon +241 Gambia +220 Georgia +995 Germany +49 Ghana +233 Gibraltar +350 Greece +30 Greenland +299 Grenada +1 Guadeloupe +590 Guam +1 Guatemala +502 Guernsey +44 Guinea +224 Guinea-Bissau +245 Guyana +592 Haiti +509 Honduras +504 Hong Kong SAR China +852 Hungary +36 Iceland +354 India +91 Indonesia +62 Iran +98 Iraq +964 Ireland +353 Isle of Man +44 Israel +972 Italy +39 Jamaica +1 Japan +81 Jersey +44 Jordan +962 Kazakhstan +7 Kenya +254 Kiribati +686 Kosovo +383 Kuwait +965 Kyrgyzstan +996 Laos +856 Latvia +371 Lebanon +961 Lesotho +266 Liberia +231 Libya +218 Liechtenstein +423 Lithuania +370 Luxembourg +352 Macao SAR China +853 Madagascar +261 Malawi +265 Malaysia +60 Maldives +960 Mali +223 Malta +356 Marshall Islands +692 Martinique +596 Mauritania +222 Mauritius +230 Mayotte +262 Mexico +52 Micronesia +691 Moldova +373 Monaco +377 Mongolia +976 Montenegro +382 Montserrat +1 Morocco +212 Mozambique +258 Myanmar (Burma) +95 Namibia +264 Nauru +674 Nepal +977 Netherlands +31 New Caledonia +687 New Zealand +64 Nicaragua +505 Niger +227 Nigeria +234 Niue +683 Norfolk Island +672 North Korea +850 North Macedonia +389 Northern Mariana Islands +1 Norway +47 Oman +968 Pakistan +92 Palau +680 Palestinian Territories +970 Panama +507 Papua New Guinea +675 Paraguay +595 Peru +51 Philippines +63 Poland +48 Portugal +351 Puerto Rico +1 Qatar +974 Réunion +262 Romania +40 Russia +7 Rwanda +250 Samoa +685 San Marino +378 São Tomé & Príncipe +239 Saudi Arabia +966 Senegal +221 Serbia +381 Seychelles +248 Sierra Leone +232 Singapore +65 Sint Maarten +1 Slovakia +421 Slovenia +386 Solomon Islands +677 Somalia +252 South Africa +27 South Korea +82 South Sudan +211 Spain +34 Sri Lanka +94 St.

Barthélemy +590 St. Helena +290 St. Kitts & Nevis +1 St. Lucia +1 St. Martin +590 St. Pierre & Miquelon +508 St. Vincent & Grenadines +1 Sudan +249 Suriname +597 Svalbard & Jan Mayen +47 Sweden +46 Switzerland +41 Syria +963 Taiwan +886 Tajikistan +992 Tanzania +255 Thailand +66 Timor-Leste +670 Togo +228 Tokelau +690 Tonga +676 Trinidad & Tobago +1 Tunisia +216 Turkey +90 Turkmenistan +993 Turks & Caicos Islands +1 Tuvalu +688 U.S. Virgin Islands +1 Uganda +256 Ukraine +380 United Arab Emirates +971 United Kingdom +44 United States +1 Uruguay +598 Uzbekistan +998 Vanuatu +678 Vatican City +39 Venezuela +58 Vietnam +84 Wallis & Futuna +681 Western Sahara +212 Yemen +967 Zambia +260 Zimbabwe +263 Resume/CV

• Attach Attach Dropbox Enter manually Enter manually Accepted file types: pdf, doc, docx, txt, rtf Cover Letter Attach Attach Dropbox Enter manually Enter manually Accepted file types: pdf, doc, docx, txt, rtf LinkedIn Profile Years of Experience
• Select... Are willing to commute to our office in South San Francisco, CA?
• Select... Tell us how you heard about Zipline and this job!
• Select... Are you authorized to work for Zipline in the United States without sponsorship now?
• Select... Are you authorized to work for Zipline in the United States without sponsorship in the future?
• Select.

.. Demographic questions for US based roles We invite you to share your demographic data to support our diversity, equity, and inclusion efforts. Sharing this data is voluntary and will not impact your application to Zipline. There is a "decline to state" option should you elect not to disclose some or all data. We will use this data for demographic analytics purposes, consistent with our CCPA-compliant privacy policy . This data will be kept separately from your application and will not be accessed by recruiters or hiring managers. Gender Select... Race Select...

Educational attainment:

What is the highest level of education you have completed so far? Select... Are you a veteran? Select... Are you a first generation college student? Select... Submit application