Senior/Staff Security Engineer

Senior/Staff Security Engineer

New York, New York, United States

Sage is on a mission to improve care and quality of life for older adults, starting with those residing in senior living facilities. Falls are the leading cause of injury-related death among adults over 65. And yet, fall prevention and emergency response systems for older adults are archaic and ineffective. At Sage we've built a more modern way of understanding when older adults need help, including methods for residents to alert caregivers when in need of help, and corresponding software for caregivers to triage response. Our company mission is to create a product that our client counterparts love, and this role is a key part of that objective.

Sage is a small, tight team of ambitious, multi-disciplinary entrepreneurs. We are a software-enabled, mission-driven company, and are focused only on the problems that are central to achieving that mission. At Sage, we work hard and fast but also know that to build a truly important company, we need to treat our work as a marathon, and not a sprint. The journey matters.

About This Role

We are looking for a Senior/Staff Security Engineer to own and advance the security posture of our platform as we scale. You will be the dedicated security practitioner on the engineering team, responsible for hardening our cloud and edge infrastructure, driving compliance programs, building vulnerability management and incident response capabilities, and embedding security into the software development lifecycle.

This is a hands-on individual contributor role reporting to the Engineering Manager of Cloud and Security. You will work across AWS and GCP environments, partner closely with product engineering and platform teams, and have direct impact on Sage's ability to earn and maintain customer trust. Success in this role requires deep technical security skills, comfort operating across a broad surface area, and a bias toward practical, risk-proportionate solutions over checkbox compliance.

Responsibilities

• Harden and continuously improve the security of Sage's cloud infrastructure across AWS and GCP, including IAM policies, VPC configurations, security groups, and network segmentation.
• Own vulnerability management end to end: implement scanning, triage findings, coordinate remediation with engineering teams, and track resolution. Drive penetration test findings to closure on defined timelines.
• Build and maintain incident response capabilities, including detection tooling, runbooks, and post-incident analysis.
• Drive Sage's SOC 2 and HIPAA compliance programs forward, producing evidence, closing control gaps, and coordinating with external auditors.
• Implement and operate supply chain security controls, including dependency scanning, credential leak monitoring, and secret rotation automation.
• Embed security into CI/CD pipelines and the software development lifecycle through automated checks, secure defaults, and developer education.
• Conduct security reviews of architecture decisions, new services, and third-party integrations. Own the vendor security assessment process for evaluating and tracking third-party risk.
• Establish and maintain key and credential rotation policies with clear ownership and audit trails.
• Implement automated compliance scanning across cloud accounts and projects with defined triage workflows.
• Validate that disaster recovery procedures maintain security controls through failover, including encryption, access control, and network segmentation.
• Partner with engineering, product, and executive stakeholders to communicate security risk clearly and advocate for proportionate investment.

Minimum Qualifications

• 6+ years of experience in security engineering, with demonstrated depth in cloud security (at least one of AWS or GCP required).
• Hands-on experience with IAM design, VPC architecture, security group management, and infrastructure hardening in production environments.
• Experience building or significantly improving vulnerability management programs, including tooling selection, integration, and triage workflows.
• Direct experience with SOC 2 and HIPAA compliance, including evidence collection, control implementation, and auditor interactions.
• Practical incident response experience: you have detected, investigated, and resolved real security incidents, not just written the plan.
• Experience securing containerized applications and CI/CD pipelines.
• Experience securing device or edge computing environments, including firmware updates, device authentication, and network security for IoT or embedded systems.
• Strong written and verbal communication skills. You can explain a risk finding to an engineer and a business stakeholder in the same day.
• Willing and excited to be in the office Tuesday through Thursday (NYC).

Preferred Qualifications

• Experience with Terraform or similar infrastructure-as-code tools for managing security controls declaratively.
• Familiarity with healthcare or other regulated industries where data protection has real consequences.
• Experience with supply chain security tooling (dependency scanning, SBOM generation, container image signing).
• Track record of building automated credential rotation and secret management pipelines.
• Experience operating security programs at a growth-stage startup where you had to prioritize ruthlessly and build from scratch.
• Relevant certifications (CISSP, AWS Security Specialty, GIAC) are a plus but not required if the experience is there.
• Comfortable reading and reviewing application code (Java preferred) to identify security issues such as overly broad token scoping, improper credential handling, and authentication/authorization flaws. Ability to contribute fixes directly is a plus.

Benefits and Pay

Our headquarters are located in New York City's Union Square. We believe in cross team collaboration. We think good ideas can come from anyone, and we've designed our processes to encourage participation from all. While we take our mission seriously, we don't take ourselves too seriously. We like to host offsites, outings, and team meals where we can connect as people, not just as colleagues. We offer office lunch and a fully stocked snack bar. While we are an in office culture, we allow up to 2 remote days per week.

Our benefits package for employees includes competitive base compensation along with stock options. The expected annual salary range for this role is $190,000-240,000 USD, depending upon the job level, which will depend on your level of expertise, your experience, and your qualifications. We also provide fully-paid health and dental insurance coverage for all of our employees, along with other health benefits including vision insurance, membership to premium primary and urgent care, and online medical health providers. We also have a take as you need time off policy, in addition to 7 paid holidays and a company wide winter break during the holidays.

EEO Statement

Sage is an equal opportunity employer that is committed to diversity and inclusion in the workplace. We prohibit discrimination and harassment of any kind based on race, color, sex, religion, sexual orientation, national origin, disability, genetic information, pregnancy, or any other protected characteristic as outlined by federal, state, or local laws.

This policy applies to all employment practices within our organization, including hiring, recruiting, promotion, termination, layoff, recall, leave of absence, compensation, benefits, training, and apprenticeship. Sage makes hiring decisions based solely on qualifications, merit, and business needs at the time.