Information Security Engineer

We are hiring an Information Security Engineer to be the first dedicated security engineer at Workstream. This is a hands-on, builder-oriented role focused primarily on application and product security, with ownership of our security posture as the company scales.

This role is not about writing policies or running tools in isolation. You will work directly with our product and platform engineers to identify risks, fix vulnerabilities, and build secure-by-default patterns that allow teams to move fast without compromising safety.

This is a full-time, hybrid role requiring presence three days per week in our San Francisco or Menlo Park office.

• Work side-by-side with software engineers to locate, triage, and fix security issues directly in the codebase, including authorization flaws, multi-tenant isolation bugs, sensitive data exposure, and business logic vulnerabilities.
• Review and provide security input on designs, APIs, and changes involving authentication, authorization, and sensitive employee data.
• Threat-model critical (“Tier-1”) APIs and workflows and help teams design safer defaults.
• Build practical guardrails and reference implementations that can be reused across teams.

• Build practical guardrails and reference implementations that can be reused across teams.
• Act as the primary Blue Team owner, coordinating external security testing and responsible disclosure.
• Translate findings into concrete engineering work and drive remediation through to verification.
• Help define and mature incident response processes and participate in real incidents when they occur.
• Establish a clear baseline of Workstream’s security posture and propose a prioritized roadmap for improvement.

• Own and maintain SOC 2 readiness, focusing on making renewals more predictable and less disruptive.
• Partner with engineering and legal teams on privacy-related workflows, including data access and deletion.
• Ensure compliance supports product development rather than slowing it down.

• Own and maintain SOC 2 readiness, focusing on making renewals more predictable and less disruptive.
• Partner with engineering and legal teams on privacy-related workflows, including data access and deletion.
• Ensure compliance supports product development rather than slowing it down.

• Strong software engineering background with the ability to read and write production-level code.
• Hands-on experience securing real systems, not just writing policies or reports.
• Comfortable auditing Node.js and Ruby on Rails codebases.
• Experience working in SaaS environments with enterprise customers and sensitive data.
• A pragmatic, collaborative mindset: you believe security should enable innovation, not block it.
• Able to communicate risk clearly to engineers and non-technical stakeholders.

• Experience owning security end-to-end at a startup or mid-stage company.
• Exposure to bug bounty programs or external security testing.
• Experience with SOC 2 or similar compliance frameworks.
• Familiarity with securing multi-tenant SaaS platforms.
• Be comfortable operating with broad ownership, ambiguity, and limited specialization.