Staff Security Engineer

About Collective: Collective is on a mission to redefine the way businesses-of-one work. Our technology and team of trusted advisors help members achieve financial independence by taking care of everything from business incorporation to accounting, bookkeeping, tax services, and access to a thriving community, all in one integrated platform. We believe in empowering self-employed people to enjoy the same tax savings that big companies get, so they can focus on their passion, not paperwork. Featured in Forbes, Business Insider, Yahoo, Bloomberg, Financial Times, TechCrunch, and more. We are backed by General Catalyst, Sound Ventures (Ashton Kutcher and Guy Oseary), QED Investors, Google’s Gradient Ventures, Expa, and other investors who have financed iconic companies like YouTube, Substack, Twitch, Box, Hims, Instacart, and Lyft. About the role: We're hiring a Staff Security Engineer to own the security of Collective's member platform end to end — from how code is written and tested to how data is protected and how our systems authenticate. This is a senior individual contributor role with broad product-security scope: you'll embed security into the development lifecycle, lead threat modeling and security reviews across the platform, and own the authentication, authorization, and compliance systems that keep our members' financial and tax data trustworthy. As Collective expands its use of AI and agent-based workflows, you'll shape how those systems authenticate and operate securely. You'll work closely with Engineering, Product, and Legal to make security a first-class property of everything we ship — without slowing the team down. What you'll do: Own the end-to-end authentication and authorization architecture across Collective's member platform, including session management, role-based access control, and the emerging patterns needed to secure agent-based workflows and service-to-service communication. Drive CCPA compliance across the platform, partnering with Legal and Engineering to map data flows, implement required access and deletion controls, and establish ongoing audit and reporting mechanisms. Design and maintain Collective's static and dynamic application security testing (SAST/DAST) frameworks, integrating them into CI/CD pipelines so security feedback is fast, automated, and actionable for product teams. Lead threat modeling for new features and platform changes, collaborating with product engineers early in the design process to identify and address risk before it reaches production. Define and maintain security standards, policies, and runbooks that give engineering teams clear guardrails without slowing down delivery. Respond to and lead post-incident security reviews, driving root-cause analysis and translating findings into durable platform improvements. Evaluate and integrate third-party security tooling, staying current on the threat landscape relevant to fintech platforms handling sensitive financial and tax data. What you'll bring: 8+ years of security engineering experience, with depth in application security and a track record of improving security posture on production platforms at scale. Strong expertise in authentication and authorization systems (OAuth 2.0, OIDC, SAML, JWT) and the nuances of securing both user-facing sessions and machine-to-machine flows, including AI agent authentication patterns. Hands‑on experience building or owning SAST/DAST programs and embedding security testing into CI/CD pipelines; familiarity with tools like Semgrep, Snyk, Burp Suite, or equivalent. Working knowledge of CCPA (and ideally GDPR) compliance requirements as they apply to a SaaS platform handling personal financial data, including data mapping, subject rights workflows, and audit trails. Experience collaborating with Legal and Privacy teams to translate regulatory requirements into concrete engineering controls, not just documentation. Comfort operating as a senior individual contributor who influences platform direction without requiring a management chain to get things done — you write RFCs, lead design reviews, and bring engineers along through conviction and clarity. Product empathy: the ability to hold security rigor and member experience in the same frame, and to make the right tradeoffs with both in mind. Familiarity with AI-assisted development workflows and an interest in the security implications of agent-based systems is a strong plus. What we offer: Hybrid Work Model: Based in San Francisco with a balance of in‑office and remote flexibility. Fresh Lunch: Provided on in‑office days. Commuter Support: $150 monthly reimbursement for transit expenses. Health & Wellness: $200 quarterly reimbursement to support your well-being. Time Off: Flexible PTO plus 14 company holidays. Comprehensive Coverage: 100% medical, dental, and vision for employees; 75% coverage for dependents. Parental Leave: 16 weeks fully paid. Retirement & Ownership: 401k plan plus an equity package. Team Connection: Quarterly virtual events and an annual in‑person summit. #J-18808-Ljbffr