Staff DevSecOps Engineer

Staff DevSecOps Engineer

Seattle, WA or McLean, VA or Remote (USA)

About Us

Co-founded in 2023 by Joe Laws and Grant Verstandig, Trase Systems is AI, Uncomplicated. Trase empowers enterprise leaders to harness the full potential of AI without the associated complexity and risks. We are an end-to-end solution for deploying, managing, and optimizing AI in the enterprise. Our platform specializes in bridging the "last mile" of AI adoption, unlocking AI's full potential while driving efficiency and significant cost savings. Trase is at the forefront of AI Agent innovation, topping the Hugging Face GAIA Leaderboard for Generalized AI Assistants, ahead of industry giants such as Google, Meta, Microsoft, and OpenAI. We are leveraging our cutting-edge technologies to develop mission-critical agentic applications in complex industries such as Healthcare, Oil & Gas, and National Security.

About the Role

As the Staff DevSecOps Engineer, you will be the technical owner of how security is built into Trase's software development lifecycle and cloud operations.

You will integrate automated security testing, continuous vulnerability management, and secure coding practices directly into our existing CI/CD pipelines, where the cost of catching misconfigurations and vulnerabilities is lowest and the blast radius is smallest. You will own the implementation of Trase's dedicated security architecture, delivering shift-left tooling (SAST, DAST, SCA, secrets scanning, and IaC scanning) alongside production cloud security services and resources, all deployed through infrastructure-as-code.

By standardizing and operating these secure pipelines, you will empower Trase's software engineers to focus on high-velocity delivery while ensuring that we maintain the controls and capabilities required by our customers and regulators.

Why This Role Exists

Trase ships mission-critical agentic applications into Healthcare, Oil & Gas, and National Security at the pace of a startup, under the scrutiny of a defense contractor. Our engineering velocity and the speed at which we deploy highly-regulated workloads is one of our core advantages.

To preserve that velocity while maintaining customer trust and assurance, we must ensure that security is seamlessly and inextricably linked to delivery — and never bolted on after the fact.

This role exists to build upon our foundation and mature the ways in which we've embedded security throughout our pipelines and operations. It is a continued investment in our CI/CD security tooling, production cloud security architecture, detection and response capabilities, and the IaC patterns that make secure-by-default the path of least resistance for every Trase engineer.

Responsibilities

Shift-Left Security in CI/CD

• Design, implement, and operate the shift-left security toolchain across Trase's CI/CD pipelines, which include but are not limited to SAST, DAST, SCA, secrets scanning, container image scanning, and IaC scanning.
• Define how findings are triaged, routed, and remediated; partner with engineering teams to keep developer experience high and friction low.
• Establish and enforce policy-as-code and pre-merge security gates calibrated to risk.

Cloud Security Architecture

• Design and deploy Trase's production cloud security architecture, with a primary focus on Google Cloud Platform (GCP) and a clear path to multi-cloud as the business requires.
• Implement foundational controls including network segmentation, workload identity, secrets management, encryption (in transit and at rest), and least-privilege IAM using both cloud-native services and third-party applications or platforms.
• Stand up and operate cloud security posture management (CSPM) and cloud workload protection capabilities.

Infrastructure-as-Code & Platform Security

• Build, codify, and maintain the secure-by-default infrastructure modules in Terraform, consumed by every Trase engineer.
• Embed security controls directly into platform abstractions so that the secure path is the default path.
• Drive secure baselines for Kubernetes, container runtimes, and serverless workloads.

Detection, Monitoring & SIEM

• Operate and fine-tune Trase's SIEM and security telemetry pipeline, designing log sources, detections, and alerting workflows from the ground up.
• Define detection-as-code practices and tune detections to balance signal and noise.
• Build dashboards and reporting that give the security team and leadership real-time visibility into the live posture of the environment.

Incident Response

• Enhance and lead aspects of Trase's technical security incident response capability, including runbooks, on-call rotation design, tabletop exercises, and post-incident reviews.
• Serve as a senior responder during security events, coordinating across stakeholder groups and the broader enterprise.

Vulnerability & Threat Management

• Operate the end-to-end vulnerability management lifecycle across application, container, and cloud surface area.
• Facilitate remediation SLAs, partner with engineering to drive them, and report on progress to leadership.

Cross-Functional Partnership

• Partner closely with Engineering and the broader Security and Compliance team to translate framework requirements (e.g., SOC 2, HIPAA, ISO 27001, FedRAMP, NIST 800-53) into defensible, robust controls.
• Embed with Product and Engineering teams to ensure security is an integral part of how Trase builds, by design.

Mentorship & Engineering Leadership

• Mentor junior Security and Compliance engineers and members of the Engineering team on secure coding, threat modeling, and cloud security best practices.
• Establish and propagate the patterns, runbooks, and reusable building blocks that allow Trase's security capabilities to scale with the company.

Requirements

• 10+ years of experience in security engineering, DevSecOps, cloud security, or platform security roles, including significant time as a senior individual contributor.
• Deep, hands-on experience securing modern CI/CD pipelines, including production deployment of SAST, DAST, SCA, secrets, container, and IaC scanning.
• Strong cloud security expertise, with primary depth in Google Cloud Platform—or proven multi-cloud expertise and the ability to operate authoritatively in GCP.
• Expert-level Terraform skills and a track record of building secure-by-default IaC modules consumed by other engineers.
• Demonstrated experience standing up and operating a SIEM end-to-end—from log source design through detection engineering and alert tuning.
• Hands-on incident response leadership, including runbook authorship, on-call design, and serving as a senior responder during real incidents.
• Practical experience operating in environments governed by SOC 2, HIPAA, and ISO 27001, with a clear understanding of how engineering controls map to framework requirements.
• Strong programming or scripting skills (Python, Go, or similar) sufficient to build automation, integrations, and tooling—not just to configure off-the-shelf products.
• Excellent partnership skills and a developer-empathetic mindset; track record of making security the path of least resistance rather than a bottleneck.
• Strong affinity and practical skill for working with LLMs and AI agents as part of your own workflow—clear judgment on when and how to deploy them to move quickly, orchestrate work, and ship with confidence.
• US Citizen and eligible for US security clearance

Nice to Have

• Hands-on experience implementing security architectures or controls for FedRAMP (Moderate or High), DoD RMF, HITRUST, or other heavily regulated frameworks.
• Active US security clearance (Secret, TS, or TS/SCI).
• Deep Kubernetes and container security expertise (admission control, runtime security, software supply chain security).
• Experience securing AI/ML workloads, including model supply chain integrity, prompt injection defenses, and agent execution sandboxing.
• Industry certifications such as Google Professional Cloud Security Engineer, AWS Security Specialty, OSCP, GIAC (GCSA, GCIH, GCIA), or CKS.
• Open source contributions to security tooling, detection content, or IaC modules.

Salary Range : $170,