Staff Software Engineer, Security

About Us

XOXO is a research lab building the interface of intelligence for everyday life. We're a stealth team of hardcore engineers, designers, and researchers discovering solutions to novel problems impacting life outside work.

With a recent breakthrough across infrastructure, architecture, and the model layer, we’re hiring serious builders to develop the interface and application layer that will bring our vision to life.

About the Role

We’re hiring an experienced Security Engineer to protect our systems and maintain user trust. You’ll harden our cloud foundations, tighten access boundaries, and build the tooling and response loops that keep us safe as we scale. You’ll partner with the founders and engineering team to define security as a core principle in how we build.

What You’ll Do

• Partner with engineering, product, and research to embed security into the development lifecycle (threat modeling, design reviews, secure defaults).

• Harden cloud infrastructure and enforce network topology standards (subnets, firewalls, routing) and org security policies.

• Implement isolation and segmentation strategies that limit blast radius and prevent lateral movement.

• Build and maintain security tooling and automation for engineers (CI/CD checks, scanning, guardrails) and drive findings to remediation.

• Improve observability, detection, and incident response for security-relevant events (intrusions, abuse patterns, DDoS, and bots) including rapid containment.

• Design and manage identity and access management (humans + services) and third-party integration controls, prioritizing private connectivity and least privilege.

Skills & Qualifications

Minimum qualifications:

• Shipped security or infrastructure systems from design to production with measurable improvements in risk, reliability, or incident outcomes.

• Expert knowledge of cloud hardening, including configuration baselines, network topology (subnets/firewalls), and policy enforcement.

• Strong generalist software engineering background and ability to review production code for security risks.

• Hands-on experience securing web apps and APIs, especially auth flows, access control, secrets management, input validation, and data protection.

• Built segmentation/isolation strategies that reduce blast radius and prevent lateral movement.

• Deep experience with monitoring, threat detection, and intrusion mitigation/response protocols in production environments.

• Hands-on experience deploying and operating static + dynamic scanning, plus driving remediation through engineering teams.

• Strong experience designing and operating IAM for internal systems and external-facing surfaces.

• Able to ship pragmatic guardrails that increase security without slowing teams down.

Preferred qualifications — we encourage you to apply if you meet some but not all of these:

• Production experience with DDoS defense and automated abuse/bot detection and mitigation.

• Strong patterns for third-party security (private connectivity, controlled egress, vendor access controls).

• Experience implementing sensitive data protection (encryption/key management, access controls, auditability) and compliance-aligned controls.

• Strong opinions on incident response, security architecture, and pragmatic guardrails for early-stage systems.

• Experience thinking through AI/LLM product risks (abuse, data leakage, prompt injection) and building mitigations.

A link to relevant code, technical writing, incident writeups, or project work is strongly encouraged.

Logistics

• Location: San Francisco, CA (on-site)

• Compensation: $250k-$500k expected salary with 1% to 5% equity depending on background.

• Benefits: Top tier health, dental, vision benefits, and many other perks.