Staff Security Engineer

About Ethos

Ethos was built to make it faster and easier to get life insurance for the next million families. Our approach blends industry expertise technology and the human touch to find you the right policy to protect your loved ones.

We leverage deep technology and data science to streamline the life insurance process making it more accessible and convenient. Using predictive analytics we are able to transform a traditionally multi-week process into a modern digital experience for our users that can take just minutes! Weve issued billions in coverage each month and eliminated the traditional barriers ushering the industry into the modern age. Our full-stack technology platform is the backbone of family financial health.

We make getting life insurance easier faster and better for everyone.

Our investors include General Catalyst Sequoia Capital Accel Partners Google Ventures SoftBank and the investment vehicles of Jay-Z Kevin Durant Robert Downey Jr and others. This year we were named on CB Insights Global Insurtech 50 list and BuiltIns Top 100 Midsize Companies in San Francisco. We are scaling quickly and looking for passionate people to protect the next million families!

About the Role:

Were looking for a Senior Security Engineer with deep technical expertise in application security penetration testing and offensive security practices. You will lead efforts to proactively identify and exploit vulnerabilities across our products and infrastructure working alongside engineering and security teams to design robust defences and build security into everything we deploy.

This is a hands-on technical role with significant influence over the security posture of the company from code to cloud.

Duties and Responsibilities:

Application Security

• Perform code reviews threat modelling and architecture assessments across internal and customer-facing applications.
• Guide engineering teams on secure design patterns libraries and development practices.
• Integrate and maintain security tooling (SAST DAST SCA) into CI/CD pipelines.
• Collaborate with product and engineering teams to remediate identified vulnerabilities and design secure solutions.
  
  

Penetration Testing

• Conduct manual and automated penetration tests against Ethos Web Application APIs infrastructure and cloud environments.
• Simulate attacker behaviors to assess technical weaknesses and business risks.
• Create detailed developer-friendly reports with risk ratings and actionable remediation guidance.
• Re-test findings and validate security fixes in collaboration with product owners.
  
  

Offensive Security

• Plan and execute red team operations simulating advanced persistent threat (APT) scenarios.
• Develop custom tools scripts and exploits to test detection and response capabilities.
• Collaborate to improve detection logging and incident response based on attack insights.
• Contribute to the development of offensive security playbooks and adversary emulation plans.
  
  

Other Responsibilities

• Mentor junior team members and evangelize security best practices across the company.
• Participate in investigations threat hunting and incident response activities; build playbooks for specific incident response scenarios
• Communicate risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns
• Support security audits compliance efforts and executive briefings with technical depth.

Qualifications and Skills:

Required:

• 5 years of experience in security engineering penetration testing or offensive security.
• Strong understanding of secure coding principles web security vulnerabilities (e.g. OWASP Top 10) and remediation techniques.
• Proficiency in threat modeling design reviews and security testing of various types of applications technologies and platforms
• Proficient in scripting and development (e.g. Python Bash Go JavaScript).
• Skilled in using tools such as Burp Suite Metasploit Nmap Cobalt Strike or custom tooling.
• Experience with AWS cloud platform and containerized environments (Docker Kubernetes).
• Strong written and verbal communication skills for technical and non-technical audiences.
  
  

Preferred:

• Certifications like OSCP OSWE OSEP GXPN or equivalent.
• Experience with threat modeling methodologies (e.g. STRIDE PASTA).
• Familiarity with MITRE ATT&CK adversary emulation and purple teaming.
• Contributions to security research open-source tools or bug bounty platforms.

Dont meet every single requirement If youre excited about this role but your past experience doesnt align perfectly with every qualification in the job description we encourage you to apply anyway. At Ethos we are dedicated to building a diverse inclusive and authentic workplace.

We are an equal opportunity employer who values diversity and inclusion and look for applicants who understand embrace and thrive in a multicultural world. We do not discriminate on the basis of race religion color national origin gender sexual orientation age marital status veteran status or disability status. Pursuant to the SF Fair Chance Ordinance we will consider employment for qualified applicants with arrests and conviction records.

To learn more about what information we collect and how it may be used please refer to ourCalifornia CandidatePrivacy Notice.