Job Specifications
Workstream is a mission-driven company building the all-in-one HR, payroll, and hiring platform for managing the hourly workforce. There are 2.7 billion hourly workers, making up 80% of the global workforce, but this market has been heavily underserved by technology and deserves better. Workstream has been purpose-built for the hourly workforce from day one so that these businesses and their employees can thrive.
Our customers include leading brands from multiple sectors, including Burger King, Carl's Jr./Hardee's, IHOP, KFC, and Culvers. We are a high growth series B company and quickly expanding our product portfolio to deliver on our vision. We are backed by legendary VCs and industry experts like Founders Fund, BOND, and Coatue.
Grow With Us
We are seeking a Security Engineer who is, at heart, a builder. In this role, you won't just be running scans or writing policies; you will be writing code, fixing vulnerabilities, and architecting secure infrastructure alongside our engineering teams.
You will act as the primary "Blue Team" lead, defending Workstream against threats while collaborating with external Red Team communities to stay sharp. Your scope is holistic: you will cover Application Security, Infrastructure Security, and Corporate Security, ensuring that security is baked into our DNA, not bolted on at the end.
This is a full-time, hybrid role requiring presence 3 days a week in either San Francisco or Menlo Park office to foster close collaboration with cross-functional teams.
Day in the Life
Application Security (AppSec)
Embed yourself in the software development lifecycle (SDLC). Perform code reviews and architectural analysis for new features in Node.js and Ruby on Rails.
Work side-by-side with software engineers to locate, triage, and fix security vulnerabilities (e.g., XSS, SQLi, IDOR) directly in the codebase.
Build and maintain automated security tooling (SAST/DAST) in our CI/CD pipelines.
Secure AI/ML integrations and APIs, including protection against prompt injection, model poisoning, and data exfiltration through AI interfaces
Review and secure implementations of large language models (LLMs) and other AI services used in the platform
Infrastructure & Cloud Security
Harden our cloud infrastructure (AWS/GCP/Azure) using Infrastructure-as-Code (Terraform/CloudFormation).
Design and implement secure networking, IAM policies, and container security (Kubernetes/Docker).
Monitor system logs and alerts to detect and respond to anomalies in real-time.
Blue Teaming & Incident Response
Act as the internal Blue Team lead. Collaborate with external Red Teams and bug bounty researchers to understand the latest attack vectors.
Translate Red Team findings into concrete engineering tasks and defensive measures.
Lead incident response simulations (Tabletops) and actual response efforts during security events.
Corporate Security
Oversee internal company security posture, including endpoint protection, identity management (Okta/SSO), and zero-trust networking access.
Conduct security training for employees to foster a culture of security awareness.
Design security architecture supporting multi-state and multi-jurisdiction data residency requirements
Collaborate with legal and other teams on data breach notification procedures and requirements across multiple jurisdictions
Maintain security documentation for SOC 2 Type II audits and other compliance frameworks
Who You Are
Technical Qualifications
Engineering Background: You have a strong background in software engineering. You are comfortable reading and writing production-level code, specifically in Node.js and Ruby on Rails.
Holistic Security Experience: 3+ years of experience covering the "Security Trinity": Software Security, Infrastructure Security, and Corporate/IT Security. Experience in SaaS, fintech, or HR technology environments strongly preferred.
Vulnerability Remediation: Proven track record of not just finding bugs, but working with engineers to solve them. You understand how to implement fixes without breaking functionality.
Cloud Native: Deep experience securing modern cloud environments (AWS preferred) and containerized applications.
HR/Payroll Security Understanding: Familiarity with security challenges specific to HR and payroll systems, including protection of sensitive employee data (PII, SSN, wage information), multi-tenant architecture security, and regulatory compliance requirements for employment data.
AI/ML Security: Understanding of AI security principles including model security, training data protection, prompt injection vulnerabilities, AI-powered threat detection, and emerging AI-specific attack vectors. Familiarity with AI governance frameworks and responsible AI practices.
Collaborative & Mindset
Red Team Aware, Blue Team Focused: You actively follow Red Team communities (CTFs, DefCon, Bug Bounties) to understand the attacker mindset, but your passion lies in building the defense (Blue Team) to stop them
About the Company
Workstream is the modern all-in-one HR and payroll solution built specifically for restaurants, and trusted by 30,000+ locations. 46 of the top 50 quick-service restaurant brands, including Burger King, Jimmy John’s, Taco Bell, and more, rely on Workstream power their restaurants.
Know more