Save Job
Posted 18h ago

Lead Security Engineer

@ Circles
United States
RemoteFull Time
Responsibilities:securing architecture, conducting testing, automating security
Requirements Summary:10-12 years in application/security engineering, hands-on threat modeling, pen testing, SAST/DAST/SCA, SOC/incident response, DevSecOps, Python scripting; proficiency with cloud and container security and familiarity with AI/LLM vulnerabilities.
Technical Tools Mentioned:Splunk, Sentinel, XSOAR, Kubernetes, Python, Java, Go
Job Description

Founded in 2014, Circles is a global technology company reimagining the telco industry with its innovative SaaS platform, empowering telco operators worldwide to effortlessly launch innovative digital brands or refresh existing ones, accelerating their transformation into techcos.

Today, Circles partners with leading telco operators across multiple countries and continents, including KDDI Corporation, Etisalat Group (e&), AT&T, and Telkomsel, creating blueprints for future telco and digital experiences enjoyed by millions of consumers globally.

Besides its SaaS business, Circles operates three other distinct businesses:

  • Circles.Life: A wholly-owned digital lifestyle telco brand based in Singapore, Circles.Life is powered by Circles’ SaaS platform and pioneering go-to-market strategies. It is the digital market leader in Singapore and has won numerous awards for marketing, customer service, and innovative product offerings beyond connectivity.

  • Circles Aspire: A global provider of Communications Platform-as-a-Service (CPaaS) solutions. Its cloud-based Experience Cloud platform enables enterprises, service providers and developers to deliver and scale mobile, messaging, IoT, and connectivity services worldwide.

  • Jetpac: Specializing in travel tech solutions, Jetpac provides seamless eSIM roaming for over 200 destinations and innovative travel lifestyle products, redefining connectivity for digital travelers. Jetpac was awarded Travel eSIM of the Year.

Circles is backed by renowned global investors, including Peak XV Partners (formerly Sequoia), Warburg Pincus, Founders Fund, and EDBI (the investment arm of the Singapore Economic Development Board), with a track record of backing industry challengers.

Role - Lead Security Engineer

Department: Information Security

Reports To: Head of Security Engineering

Experience: - 10-12 Years

Type: Individual Contributor (IC)

Standard Job Title - Staff Engineer, Security Engineering

Role Summary

We're looking for a hands-on Lead Security Engineer to strengthen our security posture across applications, APIs, cloud infrastructure, and engineering platforms. This IC role owns secure architecture, application security, penetration testing, SOC incident response, and security automation — partnering closely with Engineering, DevOps, and Product to embed security throughout the SDLC rather than bolt it on at the end.

Key Responsibilities

Secure Architecture & Threat Modeling

  • Lead threat modeling (STRIDE, PASTA, or equivalent) for new applications, features, and major platform changes

  • Conduct security architecture reviews for applications, APIs, cloud infrastructure, and third-party services before go-live

  • Define secure design patterns and reference architectures; provide hands-on security guidance at every stage of the SDLC, not just at release gates

Application & API Security

  • Own the Application Security program end-to-end: SAST, DAST, SCA, and API security testing — tool selection, policy tuning, and triage workflows

  • Integrate security testing natively into CI/CD pipelines and DevSecOps workflows so findings surface before merge, not after deploy

  • Assess REST and GraphQL APIs against the OWASP API Security Top 10 (broken object/function-level authorization, excessive data exposure, rate limiting, business logic abuse)

  • Partner with engineering leads to prioritize findings by exploitability and business impact, and drive remediation within agreed SLAs

Penetration Testing & Vulnerability Management

  • Plan and execute internal penetration tests across web applications, APIs, cloud, and infrastructure; scope and oversee external pen test engagements

  • Manually validate findings to separate real risk from noise before they reach engineering backlogs

  • Own the vulnerability management lifecycle — from discovery through remediation to verified closure — and continuously tighten SLAs as maturity improves

SOC & Security Operations

  • Serve as a technical escalation point for security incidents; lead or support incident response — triage, containment, root cause analysis, and post-incident reviews

  • Improve detection and response capability through SIEM/SOAR rule tuning, informed directly by incident and threat intelligence learnings

  • Close the loop between offensive findings (pen test, threat model) and detective controls (SIEM/SOAR), so known risks are also monitored, not just documented

Security Automation

  • Build automation in Python (or equivalent) for security scanning, findings de-duplication, ticketing, and reporting workflows

  • Integrate security tooling across CI/CD and SOC operations to eliminate repetitive manual work and shorten detection-to-remediation time

  • Treat automation as a core deliverable, not a side project — every recurring manual security task is a candidate for a pipeline

Required Qualifications

  • 10-12 years of hands-on experience in Application Security and Security Engineering

  • Demonstrated, hands-on strength in:

    • Threat modeling and secure architecture review

    • Microservice architecture

    • Penetration testing[Web, API, Mobile] and vulnerability management

    • SAST, DAST, SCA, Containers, IaC including container/Kubernetes workload security..

    • Software supply-chain security 

    • SOC operations and incident response

    • DevSecOps and CI/CD security integration

    • Python (or equivalent) scripting for security automation

  • Solid working knowledge of the OWASP Top 10, OWASP API Security Top 10, secure coding practices, and cloud security fundamentals

  • Capability to identify AI-specific vulnerabilities such as prompt injection, data poisoning, system prompt leakage, and insecure output handling.

  • Ability to read and understand code to identify vulnerabilities; proficiency in Java or Go (Golang) is a strong plus.

  • Strong communicator, able to influence engineering teams on remediation priority and translate technical risk into terms executives act on

Preferred Qualifications

  • Certifications: OSCP, OSWE, GWAPT, GPEN, CISSP, or equivalent

  • Experience securing AWS, Azure, or GCP environments, and Kubernetes/container workloads

  • Hands-on experience with SIEM/SOAR platforms (e.g., Splunk, Sentinel, XSOAR, or similar)

  • Familiarity with security maturity frameworks: OWASP SAMM, BSIMM, or NIST CSF

  • Exposure to securing AI/LLM implementations

Circles is committed to a diverse and inclusive workplace. We are an equal opportunity employer and do not discriminate on the basis of race, national origin, gender, disability or age.

Data Protection and Privacy Statement 

By submitting an application for this position, you, as the applicant, or your authorised representative(s), consent to Circles’ Candidate Data Protection and Privacy Policy. You also agree to the collection, use, and/or disclosure of your personal data by us solely for recruitment purposes as specified in the Policy. You acknowledge that you have read and understood the Policy, are aware of your rights regarding your personal data, and accept the terms relating to international data transfers, where applicable. You further understand that you may withdraw consent at any time, which may affect our ability to consider your application. In instances where your personal data or application is submitted by a third party, it is understood that such third party has been duly authorised by you to disclose the relevant personal data and provide consent on your behalf, and that you have been made aware of this Policy.

To all recruitment agencies: Circles will only acknowledge resumes shared by recruitment agencies if selected in our preferred supplier partnership program.

Please do not forward resumes to our jobs alias, Circles, employees or any other company location. Circles will not be held accountable for any fees related to unsolicited resumes not uploaded via our ATS.