Staff Security Engineer - Product Security

About Zipline

Zipline is at the forefront of a logistics revolution, designing, manufacturing, and operating its own fleet of autonomous drones and ground-based equipment. This technology delivers critical and lifesaving medicine to thousands of hospitals, serving millions across multiple continents. Our mission is to provide every human on Earth with instant access to vital medical supplies. Join Zipline to help make this a reality for billions of people.

About You And The Role

Zipline builds and operates delivery drone fleets to get medicine to those who need it, fast, regardless of where they live. The software team is developing scalable solutions to facilitate rapid expansion and empower world-class distribution centers to serve customers efficiently. Zipline’s security challenges extend beyond typical 'website got pwned' issues, encompassing real-world autonomy, robotics, global operations, cloud software, and regulated/health-adjacent workflows. You will partner deeply with software, infrastructure, and (where relevant) embedded/autonomy teams to reduce real risk in complex systems with a large attack surface.

The ideal candidate thrives in startup environments, is versatile, and collaborates across engineering disciplines. You’ll join a small, high-ownership security team with significant influence over Zipline's scaling strategies.

A note on our modern reality and agentic tooling:

Engineering teams are increasingly adopting LLM copilots and agentic tools for speed. This is valuable until an 'assistant' becomes an unmonitored automation path to secrets, sensitive data, or privileged actions. Industry guidance, such as the NIST AI Risk Management Framework (including a generative AI profile) and the OWASP Top 10 for LLM Applications, explicitly addresses risks like prompt injection, insecure plugin design, and excessive agency.

In this Staff Security Engineer - Product Security role, you’ll help Zipline safely leverage these tools while containing them to prevent them from quietly 'rewriting the threat model'.

This is a Hybrid onsite role, requiring frequent in-person conversations at our HQ in South San Francisco.

What You’ll Do

• Own security outcomes for critical parts of Zipline’s application and cloud ecosystem by shipping controls and enabling teams.
• Partner with engineering teams on secure architecture, threat modeling, and design reviews for services requiring correctness, reliability, and defensibility under real-world operational pressure.
• Help build and scale a pragmatic secure SDLC, including CI/CD hardening, dependency/supply-chain controls, secrets management, and efficient code review patterns.
• Improve cloud security posture end-to-end: IAM and least privilege, network/service-to-service trust, key management, logging/telemetry, runtime detection, and incident-ready auditability.
• Drive vulnerability management that effectively closes risk through triage, exploitability analysis, remediation partnerships, and verification.
• Help build and exercise incident response with playbooks, tabletop exercises, logging requirements, and operational discipline.
• Support data classification and access control models aligned with Zipline's operations, including partner/customer interfaces and global operations.
• Support external penetration tests and translate results into durable improvements.
• Contribute to security compliance efforts (e.g., SOC 2 / ISO 27001) in a way that strengthens engineering.
• Secure AI-assisted and agentic engineering workflows: define safe patterns for copilots/LLM tools, implement guardrails for sensitive data exposure, prevent 'agentic overreach', and build monitoring/auditing around AI tool use.

What You’ll Bring

• 8+ years of experience designing, building, and operating security controls for large-scale production systems (application, cloud, and infrastructure security).
• Strong security engineering skills with a proven ability to reduce risk in production systems.
• Hands-on ability to write and ship code/tools in Python, Go, or similar.
• Practical experience securing microservice architectures and modern cloud stacks (containers/Kubernetes, IAM, CI/CD, secrets, logging).
• Comfort operating as a technical leader without authority: able to persuade, teach, and unblock.
• A skeptical mindset that naturally asks 'what’s the failure mode?' and 'how will this be abused?'.
• Familiarity with the security failure modes of LLM-enabled systems (or a willingness to learn fast), including OWASP risks like prompt injection and insecure output handling.

NICE TO HAVES

• Experience spanning multiple engineering domains (web app + cloud infra + embedded/robotics/autonomy).
• Experience building developer-friendly security platforms (internal libraries, paved roads, CI integrations, Public Key Infrastructure).
• Track record of being an effective security 'evangelist' (enabling good behavior with good tools and defaults).
• Experience designing guardrails for internal AI/agent usage (policy + technical controls + auditing) in safety and reliability-critical environments.
• Deep understanding of distributed systems and how failures actually happen.

What Else You Need To Know

This will be an in-office or hybrid role based out of our South San Francisco HQs. The starting cash range for this role is $230,000 - $275,000; please note that this is a target, starting cash range for a candidate who meets the minimum qualifications for this role. We are always open to negotiation. The final cash pay for this role will depend on a variety of factors, including a specific candidate's experience, qualifications, skills, working location, and projected impact. The total compensation package for this role may also include: equity compensation; overtime pay; discretionary annual or performance bonuses; sales incentives; benefits such as medical, dental and vision insurance; paid time off; and more.

Zipline is an equal opportunity employer and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws or our own sensibilities.

We value diversity at Zipline and welcome applications from those who are traditionally underrepresented in tech. If you like the sound of this position but are not sure if you are the perfect fit, please apply.

Key skills/competency

• Product Security
• Cloud Security
• Application Security
• Threat Modeling
• Secure SDLC
• Vulnerability Management
• Incident Response
• IAM
• AI Security
• Robotics Security