Lead Product Security Engineer

About Aalyria:

Aalyria is a leading technology company that supplies laser communications technology and temporospatial software-defined networking platforms to the aerospace industry. With technology acquired from Google, Aalyria is at the forefront of innovation in satellite and airborne mesh networks, as well as cislunar and deep-space communications. We are revolutionizing the orchestration and management of planetary mesh networks using any radio or optical spectrum, any orbit, and any hardware across land, sea, air, and space.

Role Overview:

You'll be the technical voice of product security across Aalyria, reporting to the Director of Security & IT. You'll own application security, CI/CD and supply-chain security, our Kubernetes-based product infrastructure, product-side authentication and PKI, and you'll partner closely with hardware engineering on Tightbeam.

This is a senior to staff level individual contributor role with room to grow into management as the function scales. We need someone who's genuinely happy in a terminal and equally comfortable leading an architecture review.

Key Responsibilities:

• Application & software security. SAST/DAST/SCA, secure SDLC, threat modeling, and software vulnerability management across our codebase.
• CI/CD and supply-chain security. Hardening our GitLab pipelines, build provenance, dependency integrity, signing, and SLSA-aligned controls.
• Product infrastructure security. GKE and Kubernetes hardening, container security, workload identity, network policy, and runtime protection.
• Product PKI. Certificate lifecycle, issuance, rotation, and mTLS architecture across distributed services and remote assets.
• Vulnerability management. Triage, prioritization, remediation tracking, and exception handling, for both disclosed upstream issues and internal findings.
• Product incident response. Leading triage and response for product-side security incidents, coordinating with corporate IR, and driving post-mortems to action.
• Product infra hardening. Baseline configurations, secure defaults, and compensating controls across product environments.
• Hardware security partnership. Working with the Tightbeam team on firmware security, secure boot, key storage, and hardware supply-chain integrity.

Required Qualifications:

• Senior- or staff-level hands-on experience in product security or security engineering, with significant depth in software/AppSec.
• Production experience securing cloud environments such as IAM, org policy, VPC Service Controls, KMS, and Kubernetes at depth.
• Strong cryptographic foundations, PKI architecture, key management, signing, mTLS, and secrets handling at scale.
• Hands-on coding ability in Python, Bash, and Go, you can write tooling, automate controls, and ship Terraform/scripts when the situation calls for it. Comfort reviewing code is a plus.
• A track record of building security programs, not just operating tools someone else stood up.
• Experience leading product incident response, triage, response, coordination with engineering teams, customer comms, and post-mortem ownership.
• A pattern of mentoring engineers and raising the security bar of teams around you, even without direct reports.
• Experience interfacing with hardware/firmware teams, even if hardware isn't your primary domain.
• Strong written communication, you'll write threat models, design docs, and program updates that go to the executives, customers, and assessors.
• Working knowledge of the compliance frameworks that govern our environment such as CMMC, FedRAMP, and DFARS along with the ability to translate controls into engineering work.

Preferred Qualifications:

• Hands on experience with NIST 800-53, NIST 800-171, or DoD SRG environments.
• Experience with government-cloud platforms.
• Hardware security depth in HSMs, TPMs, secure elements, supply-chain attestation.
• Embedded / firmware security background, secure boot, RoT, OTA update integrity, hands-on firmware review.
• Experience standing up or running a vulnerability disclosure program or bug bounty, triage, researcher comms, and CVE coordination.

What We Offer:

• Innovative Environment: Work at a cutting-edge company shaping the future of aerospace communications.
• Impactful Work: Directly contribute to critical national security programs and initiatives.
• Growth Opportunities: Expand your career with opportunities for professional development and advancement.
• Inclusive Culture: Be part of a collaborative, supportive, and inclusive workplace where your contributions matter.
• Flexibility: Flexible working arrangements including hybrid remote/in-office schedules.
• Compensation and Equity: Competitive salary, comprehensive benefits (401(k), dental, vision, health, life insurance), paid time off, and equity options.

ITAR/EAR Requirements:

This position involves access to export-controlled information. To comply with U.S. government export regulations, applicants must meet one of the following criteria:

(A) Qualify as a U.S. person, which includes:

• U.S. citizen or national
• U.S. lawful permanent resident (green card holder)
• Refugee under 8 U.S.C. 1157
• Asylee under 8 U.S.C. 1158

(B) Be eligible to access export-controlled information without requiring an export authorization.

(C) Be eligible and reasonably likely to obtain the necessary export authorization from the appropriate U.S. government agency.

The company reserves the right to decline pursuing an export licensing process for legitimate business-related reasons.

Equal Opportunity Employer Statement:

Aalyria is an Equal Opportunity Employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. We do not discriminate based on race, color, religion, sex (including pregnancy, gender identity, and sexual orientation), national origin, age, disability status, genetic information, protected veteran status, or any other characteristic protected by law. Qualified applicants from all backgrounds are encouraged to apply.