Founded in 2014, Circles is a global technology company reimagining the telco industry with its innovative SaaS platform, empowering telco operators worldwide to effortlessly launch innovative digital brands or refresh existing ones, accelerating their transformation into techcos.
Today, Circles partners with leading telco operators across multiple countries and continents, including KDDI Corporation, Etisalat Group (e&), AT&T, and Telkomsel, creating blueprints for future telco and digital experiences enjoyed by millions of consumers globally.
Besides its SaaS business, Circles operates three other distinct businesses:
- Circles.Life: A wholly-owned digital lifestyle telco brand based in Singapore, Circles.Life is powered by Circles’ SaaS platform and pioneering go-to-market strategies. It is the digital market leader in Singapore and has won numerous awards for marketing, customer service, and innovative product offerings beyond connectivity.
- Circles Aspire: A global provider of Communications Platform-as-a-Service (CPaaS) solutions. Its cloud-based Experience Cloud platform enables enterprises, service providers and developers to deliver and scale mobile, messaging, IoT, and connectivity services worldwide.
- Jetpac: Specializing in travel tech solutions, Jetpac provides seamless eSIM roaming for over 200 destinations and innovative travel lifestyle products, redefining connectivity for digital travelers. Jetpac was awarded Travel eSIM of the Year.
Circles is backed by renowned global investors, including Peak XV Partners (formerly Sequoia), Warburg Pincus, Founders Fund, and EDBI (the investment arm of the Singapore Economic Development Board), with a track record of backing industry challengers.
Role - Lead Security Engineer
Department: Information Security
Reports To: Head of Security Engineering
Experience: - 10-12 Years
Type: Individual Contributor (IC)
Standard Job Title - Staff Engineer, Security Engineering
Role Summary
We're looking for a hands-on Lead Security Engineer to strengthen our security posture across applications, APIs, cloud infrastructure, and engineering platforms. This IC role owns secure architecture, application security, penetration testing, SOC incident response, and security automation — partnering closely with Engineering, DevOps, and Product to embed security throughout the SDLC rather than bolt it on at the end.
Key Responsibilities
Secure Architecture & Threat Modeling
Lead threat modeling (STRIDE, PASTA, or equivalent) for new applications, features, and major platform changes
Conduct security architecture reviews for applications, APIs, cloud infrastructure, and third-party services before go-live
Define secure design patterns and reference architectures; provide hands-on security guidance at every stage of the SDLC, not just at release gates
Application & API Security
Own the Application Security program end-to-end: SAST, DAST, SCA, and API security testing — tool selection, policy tuning, and triage workflows
Integrate security testing natively into CI/CD pipelines and DevSecOps workflows so findings surface before merge, not after deploy
Assess REST and GraphQL APIs against the OWASP API Security Top 10 (broken object/function-level authorization, excessive data exposure, rate limiting, business logic abuse)
Partner with engineering leads to prioritize findings by exploitability and business impact, and drive remediation within agreed SLAs
Penetration Testing & Vulnerability Management
Plan and execute internal penetration tests across web applications, APIs, cloud, and infrastructure; scope and oversee external pen test engagements
Manually validate findings to separate real risk from noise before they reach engineering backlogs
Own the vulnerability management lifecycle — from discovery through remediation to verified closure — and continuously tighten SLAs as maturity improves
SOC & Security Operations
Serve as a technical escalation point for security incidents; lead or support incident response — triage, containment, root cause analysis, and post-incident reviews
Improve detection and response capability through SIEM/SOAR rule tuning, informed directly by incident and threat intelligence learnings
Close the loop between offensive findings (pen test, threat model) and detective controls (SIEM/SOAR), so known risks are also monitored, not just documented
Security Automation
Build automation in Python (or equivalent) for security scanning, findings de-duplication, ticketing, and reporting workflows
Integrate security tooling across CI/CD and SOC operations to eliminate repetitive manual work and shorten detection-to-remediation time
Treat automation as a core deliverable, not a side project — every recurring manual security task is a candidate for a pipeline
Required Qualifications
10-12 years of hands-on experience in Application Security and Security Engineering
Demonstrated, hands-on strength in:
Threat modeling and secure architecture review
Microservice architecture
Penetration testing[Web, API, Mobile] and vulnerability management
SAST, DAST, SCA, Containers, IaC including container/Kubernetes workload security..
Software supply-chain security
SOC operations and incident response
DevSecOps and CI/CD security integration
Python (or equivalent) scripting for security automation
Solid working knowledge of the OWASP Top 10, OWASP API Security Top 10, secure coding practices, and cloud security fundamentals
Capability to identify AI-specific vulnerabilities such as prompt injection, data poisoning, system prompt leakage, and insecure output handling.
Ability to read and understand code to identify vulnerabilities; proficiency in Java or Go (Golang) is a strong plus.
Strong communicator, able to influence engineering teams on remediation priority and translate technical risk into terms executives act on
Preferred Qualifications
Certifications: OSCP, OSWE, GWAPT, GPEN, CISSP, or equivalent
Experience securing AWS, Azure, or GCP environments, and Kubernetes/container workloads
Hands-on experience with SIEM/SOAR platforms (e.g., Splunk, Sentinel, XSOAR, or similar)
Familiarity with security maturity frameworks: OWASP SAMM, BSIMM, or NIST CSF
Exposure to securing AI/LLM implementations
Circles is committed to a diverse and inclusive workplace. We are an equal opportunity employer and do not discriminate on the basis of race, national origin, gender, disability or age.
Data Protection and Privacy Statement
By submitting an application for this position, you, as the applicant, or your authorised representative(s), consent to Circles’ Candidate Data Protection and Privacy Policy. You also agree to the collection, use, and/or disclosure of your personal data by us solely for recruitment purposes as specified in the Policy. You acknowledge that you have read and understood the Policy, are aware of your rights regarding your personal data, and accept the terms relating to international data transfers, where applicable. You further understand that you may withdraw consent at any time, which may affect our ability to consider your application. In instances where your personal data or application is submitted by a third party, it is understood that such third party has been duly authorised by you to disclose the relevant personal data and provide consent on your behalf, and that you have been made aware of this Policy.
To all recruitment agencies: Circles will only acknowledge resumes shared by recruitment agencies if selected in our preferred supplier partnership program.
Please do not forward resumes to our jobs alias, Circles, employees or any other company location. Circles will not be held accountable for any fees related to unsolicited resumes not uploaded via our ATS.