ExpanseFT is a payment-processing company with a cloud-native platform and responsibilities under the Payment Card Industry Data Security Standard (PCI DSS). We run a hybrid environment spanning multiple cloud providers and an on-premises data center, and we operate a mature security program with an active incident-response capability, formal change control, and annual third-party assessment.
We're a small, senior, engineering-first team — you'll have significant scope and ownership from day one.
We're hiring our first dedicated Security Engineer. You'll report to the EVP, Platform & Technology (who currently covers this function) and you'll become the primary operator of our day-to-day security program.
Translation: this is a hands-on, queue-owning role, not a policy-writing or architecture-only role. You'll investigate alerts, tune detections, run vulnerability cycles, coordinate audits, execute access reviews, and own the evidence trail that keeps our compliance program defensible.
-
Own the daily security operations queue — triage and investigate alerts and findings across our cloud SIEM, XDR, EDR, and cloud-security-posture tooling. Drive each to closure with documented evidence.
-
Operate the vulnerability management lifecycle — quarterly external scans (ASV), internal authenticated scans, container and Lambda scanning, dependency alerts, and penetration-test follow-through. Track remediation against SLA.
-
Administer endpoint protection across our endpoint fleet — agent deployment, policy tuning, detection quality, and threat response.
-
Run the access-review program — periodic user, privileged, service-account, and third-party access reviews across our identity providers; terminated-user revocation verification; provisioning and deprovisioning execution.
-
Lead incident response as the primary responder for security events — containment, forensics, communications, and post-incident review — with executive escalation where warranted.
-
Own the PCI DSS evidence program — collect, label, and retain audit evidence for our annual QSA assessment. Be the QSA's primary operational point-of-contact during fieldwork.
-
Contribute to detection engineering — write and tune SIEM analytics rules, improve signal-to-noise on high-volume detections, and propose automation improvements.
-
Participate in on-call rotation for security alerts, including out-of-hours escalation.
-
Deliver annual security-awareness training and support the quarterly personnel review process.
-
Support physical security at our data center facility (visitor logs, device inspections, media destruction, rogue-wireless detection) on a periodic on-site basis.
You will operate a full, modern hybrid security stack. Without naming specific vendor SKUs in this post:
- Two major cloud platforms (AWS and Azure), multi-account and multi-subscription, with central logging and security-services aggregation
-
Cloud SIEM and XDR, with a large analytics-rule catalog and KQL as the primary query language
-
Endpoint Detection & Response (EDR) across the fleet; integration with the SIEM
-
Cloud-native security services for threat detection, vulnerability management, and compliance posture
-
Automated patch-management across Windows servers, cloud workloads, and container images
-
An enterprise identity stack with conditional access, governance access reviews, and PIM
-
Ticketing and evidence workflow built on Jira Cloud, with custom automation for recurring compliance tasks and bidirectional integrations with the security stack
-
On-prem perimeter and segmentation with a next-gen firewall and segmented VLANs
You don't need hands-on experience with every single product — you do need to have operated a comparable stack at a comparable scale in a regulated environment.
-
4+ years in Security Operations (L2/L3), Security Engineering, or a closely related role, in a regulated environment (payments, finance, healthcare, or equivalent)
-
Hands-on experience operating AWS security services (e.g., Security Hub, GuardDuty, Inspector, IAM) in a multi-account setup
-
Hands-on experience with a cloud SIEM, including KQL (Kusto Query Language) or equivalent query fluency; comfortable writing and tuning analytics rules, not just consuming them
-
Experience administering an EDR platform (SentinelOne, Defender for Endpoint, CrowdStrike, or equivalent)
-
Demonstrable experience running a vulnerability management lifecycle under SLA — scan, triage, evidence, remediation tracking
-
Working knowledge of PCI DSS v4.0 (requirements 5, 7, 8, 9, 10, 11, and 12 in particular), or substantively equivalent experience with SOC 2, ISO 27001, HITRUST, or NIST CSF
-
Proficient in at least one scripting language for operations automation — Python, Bash, or PowerShell — plus comfort with jq, AWS CLI, and az CLI
-
Strong written communication — you will be the voice of security in tickets, runbooks, and audit evidence a QSA reads a year later
-
Able to work the queue independently, prioritize under SLA pressure, and escalate proactively
-
One or more: CISSP, GIAC (GCIH, GCED, GMON, GCDA, GSEC), AWS Security Specialty, Azure Security Engineer Associate (AZ-500), CompTIA CySA+
-
Prior role as the evidence point-of-contact on a PCI DSS QSA engagement
-
Experience with open-source cloud security assessment tooling (e.g., Prowler, Steampipe, CloudQuery, cfn-nag, checkov, tfsec, trivy)
-
Experience reading or contributing to AWS CDK (TypeScript) or Terraform
-
Experience with a next-gen firewall platform (Cisco FTD/FMC, Palo Alto, Fortinet, or equivalent)
-
Experience on a formal on-call rotation (PagerDuty, Opsgenie, or equivalent)
-
First 90 days: You own the daily and weekly security-operations queue independently, with evidence attached to every closed ticket. You've shadowed a full monthly cycle and proposed at least one improvement.
-
First 6 months: You've executed a full quarterly cycle, led at least one incident-response tabletop, and become the primary operational voice of security in our engineering org.
-
First year: You've run a complete annual cycle (external pentest coordination, policy review, risk assessment, training refresh) and been a named evidence owner in our annual external audit.
-
On-call: Participation in the security on-call rotation (differential TBD)
-
Training and certification budget — annual allocation for at least one major security certification plus a security conference each year
-
Location and schedule — Remote but NY based. As-needed on-site visits to our data center on Long Island— either for scheduled physical-security duties (device inspections, visitor-log audits, media destruction oversight) or to respond to a security incident. These visits are event-driven, not a weekly or monthly commute.