Staff Product Security Engineer

Onwards Together!

Illumio is the leader in ransomware and breach containment, redefining how organizations contain cyberattacks and enable operational resilience. Powered by the Illumio AI Security Graph, our breach containment platform identifies and contains threats across hybrid multi-cloud environments – stopping the spread of attacks before they become disasters.Recognized as a Leader in the Forrester Wave™ for Microsegmentation, Illumio enables Zero Trust, strengthening cyber resilience for the infrastructure, systems, and organizations that keep the world running.

Location: 4 on-site days a week in Sunnyvale, CA Headquarters.

Our Team's Vision:

Our Engineering team is shaping the future of cybersecurity. We thrive on visionary leadership, autonomy, and ownership, fostering a culture of innovation that propels us forward in the ever-evolving cybersecurity landscape.

As a Staff Product Security Engineer, you will play a critical role in strengthening the security posture of our products across their entire lifecycle. You will partner closely with Engineering, Product Management, and cross‑functional stakeholders to design secure architectures, evaluate complex systems, perform hands-on security testing, and build automation that scales security across the organization.

This role requires a strong technical foundation, excellent written and verbal communication skills, and the ability to influence engineering teams to adopt secure-by-design principles. You will work independently with minimal oversight, exercising sound judgment to solve problems of diverse scope. You will also drive long-term security maturity by leading multi-year security initiatives that measurably improve our security posture.

Your Impact:

Security Architecture & Design

• Own and lead end-to-end security architecture and design reviews for prototypes, components, and new product features in distributed cloud environments.

• Develop and maintain threat models to proactively identify threats, misuses, and residual risks.

• Provide security consulting for emerging technologies, such as AI/ML, PQC, defining security requirements and design guardrails.

• Author and maintain product security policies, standards, and architectural guidance.

Security Program Leadership

• Lead multi-year product security programs, driving roadmap planning, execution, cross-functional alignment, and measurable security improvements.

• Develop scalable security strategies that align with engineering velocity, product roadmaps, and business priorities.

• Influence teams across organizations to adopt secure design and secure development practices.

Hands-On Security Testing

• Perform manual and automated security testing to validate real-world exploitability of vulnerabilities.

• Conduct manual secure code reviews with a focus on security and privacy risks.

• Execute DAST, API security testing, and container security scanning.

• Validate reported vulnerabilities and support customer security responses.

Vulnerability Management

• Drive end-to-end vulnerability management, from identification to remediation across code, containers, infrastructure, and cloud.

• Utilize full-stack scanning tools (SAST, SCA, secrets scanning, container scanning) to uncover vulnerabilities early.

• Partner with engineering teams to prioritize and remediate vulnerabilities based on risk and product impact.

• Support product security incident responses, including triage, root-cause analysis, and remediation guidance.

• Enable Trust office to create and share customer vulnerability responses.

Security Automation & Tooling

• Build, enhance, and maintain security automation for scalable vulnerability detection, triage, and reporting.

• Promote the adoption of golden secure images, secure-by-default tooling, and supply chain security improvements.

• Improve open-source resiliency through integrity checks, dependency monitoring, and automated safeguards.

• Enable developer self-service through internal security tooling and guidance frameworks.

Security Enablement & Knowledge Development

• Deliver technical security training for engineering teams, including secure coding, secure design, and modern threat awareness.

• Build and maintain a comprehensive security knowledge base, including best practices, threat models, secure design patterns, and remediation guides.

• Produce security evidence and documentation to support compliance, audits, certifications, and customer requirements.

• Prepare and present product security metrics to leadership and key stakeholders.

Your Toolkit:

• 10–12 years of product security or application security experience required.

• 2-3 years of software development experience preferred.

• Bachelor's degree in computer science or related field; or Master’s degree in Cybersecurity.

• Relevant coursework in secure coding, application security, network security, security architecture or threat modeling.

• Proficiency in programming languages such as Python, Java, Go, or C++.

• Hands-on experience with SAST, DAST, SCA, container security, and cloud-native security tools.

• Familiarity with security automation, CI/CD pipelines, and script-based tooling.

• Strong understanding of full-stack vulnerabilities, MITRE attack framework, OWASP Top 10 for existing and emerging technologies, secure coding, and microservice architectures.

• Experience with supply chain security and open-source dependency management is a plus.

• Strong analytical and problem-solving capabilities.

• Excellent written and verbal communication skills.

• Ability to work independently in a fast-paced, engineering-driven environment.

• Empathy for developers and the ability to build practical guardrails.

• Able to lead multi-year security programs, collaborate cross-functionally, and present initiatives to leadership.

This position involves access to software/technology that is subject to U.S. export controls. Any job offer made will be contingent upon the applicant’s capacity to serve in compliance with U.S. export controls.

#LI-TD1 #LI-ONSITE

Our Commitment

Illumio believes that an environment of unique backgrounds, experiences, viewpoints, and individual contributions creates a culture of belonging, drives our future, and makes us stronger together in support of our customers and their success.

All official job offers from our company are extended directly by our recruitment team and will be sent through an official E-Signature document for your review and signature. Please be aware that we do not ask for any personal information in the process of extending offers of employment, such as financial details or social security numbers. Upon acceptance of any offer, we will request such information as part of the onboarding process prior to or on your first day of employment, and only after completing a background check through an authorized third-party vendor. If you receive any communication asking for personal details outside of these processes, please contact us immediately to verify the authenticity of the request. Your security is important to us, and we are committed to a safe and transparent hiring experience.

For roles in San Francisco and Los Angeles: Pursuant to the San Francisco Fair Chance Ordinance and the Los Angeles Fair Chance Initiative for Hiring, Illumio will consider for employment qualified applicants with arrest and conviction records.