Senior Full-Stack SecurityGRC Platform Engineer

Job Family:

Travel Required:

Clearance Required:

What You Will Do:

We are hiring a senior engineer to maintain and extend a large full-stack Governance Risk and Compliance platform. The product is not a simple scanner wrapper. The current codebase includes a substantial FastAPI backend a React/TypeScript frontend a PostgreSQL data model an async worker system scanner integrations an AI provider abstraction a compliance framework catalog audit/reporting workflows and local/cloud deployment infrastructure.
The ideal candidate can work confidently across backend services frontend workflows database migrations security controls AI-assisted analysis scanner ingestion and production operations.

• Maintain and extend a FastAPI backend with hundreds of registered API routes.
• Build and refine React/TypeScript product workflows across a large frontend surface.
• Design and maintain SQLAlchemy models Alembic migrations PostgreSQL queries and data integrity rules.
• Support scanner integrations finding normalization deduplication evidence workflows and compliance mapping.
• Maintain AI-assisted features through a centralized provider abstraction rather than direct calls to providers.
• Work across GRC workflows including findings evidence SSPs POA&Ms RMF FedRAMP/FISMA SCRM ZTA ISCM risk acceptance and reporting.
• Keep local development and test environments healthy using Docker Compose Redis PostgreSQL worker queues Ollama observability services and frontend tooling.
• Maintain quality gates including linting type checking OpenAPI drift checks migration safety SDK drift architecture boundaries and test suites.
• Debug issues across frontend state API contracts database state workers scanner output generated SDKs and deployment configuration.
• Treat documentation as helpful but secondary to the codebase; validate assumptions against source tests migrations and running behavior.

What You Will Need:

• Minimum of SIX (6) years experience with Python backend development.
• Strong FastAPI Pydantic SQLAlchemy Alembic async Python and pytest experience.
• Strong React TypeScript Vite React Router React Query and component architecture experience.
• PostgreSQL experience including schema design migrations indexes JSON/JSONB and relational integrity.
• Experience maintaining large API surfaces and generated frontend API clients.
• Experience with background jobs or async workers using Redis-backed queues.
• Strong security engineering fundamentals: authentication authorization RBAC audit logs secret handling dependency risk and input validation.
• Ability to diagnose source-of-truth issues when documentation generated code database schema and runtime behavior disagree.

Security/GRC Domain Skills To Include

• Vulnerability findings and remediation workflows.
• Evidence collection and evidence sufficiency.
• SSPs POA&Ms control mappings audit packages and risk acceptance.
• NIST 800-53 RMF FedRAMP/FISMA CMMC SCRM ZTA ISCM and related compliance concepts.
• Scanner output from tools such as cloud security scanners vulnerability scanners SAST/IaC tools secret scanners identity/M365 scanners and web security scanners.
• Provenance auditability and defensibility requirements for regulated workflows.

AI/LLM Product Skills To Include

• Experience building AI-assisted product features preferably in security compliance document review or workflow automation.
• Understanding of RAG embeddings document extraction prompt/context design and evidence citation.
• Ability to enforce scoped context provenance guardrails and human-review boundaries.
• Comfort maintaining provider abstractions across local and cloud AI providers.

Infrastructure And Operations Skills To Include

• Docker Compose for local development.
• AWS-style production operations: containers managed databases caches object storage CDN IAM logs and deployment pipelines.
• Terraform or similar infrastructure-as-code experience.
• CI/CD debugging and release discipline.
• Observability logs health checks and operational runbooks.

What Would Be Nice To Have:

• Prior experience with GRC audit automation security consulting tools vulnerability management FedRAMP/FISMA or SSP/POA&M workflows.
• Experience with generated OpenAPI SDKs.
• Experience producing PDF Excel DOCX PowerPoint or audit package exports.
• Experience with immutable audit logs provenance chains multi-tenant permissions or evidence workflows.

What We Offer:

Guidehouse offers a comprehensive total rewards package that includes competitive compensation and a flexible benefits package that reflects our commitment to creating a diverse and supportive workplace.

Benefits include:

• Medical Rx Dental & Vision Insurance

• Personal and Family Sick Time & Company Paid Holidays

• Parental Leave

• 401(k) Retirement Plan

• Group Term Life and Travel Assistance

• Voluntary Life and AD&D Insurance

• Health Savings Account Health Care & Dependent Care Flexible Spending Accounts

• Transit and Parking Commuter Benefits

• Short-Term & Long-Term Disability

• Tuition Reimbursement Personal Development Certifications & Learning Opportunities

• Employee Referral Program

• Corporate Sponsored Events & Community Outreach

• annual membership

• Employee Assistance Program

• Supplemental Benefits via Corestream (Critical Care Hospital Indemnity Accident Insurance Legal Assistance and ID theft protection etc.)

• Position may be eligible for a discretionary variable incentive bonus

About Guidehouse

Guidehouse is an Equal Opportunity EmployerProtected Veterans Individuals with Disabilities or any other basis protected by law ordinance or regulation.

Guidehouse will consider for employment qualified applicants with criminal histories in a manner consistent with the requirements of applicable law or ordinance including the Fair Chance Ordinance of Los Angeles and San Francisco.

If you have visited our website for information about employment opportunities or to apply for a position and you require an accommodation please contact Guidehouse Recruiting at 1- or via email at . All information you provide will be kept confidential and will be used only to the extent required to provide needed reasonable accommodation.

All communication regarding recruitment for a Guidehouse position will be sent from Guidehouse email domains including @ or . Correspondence received by an applicant from any other domain should be considered unauthorized and will not be honored by Guidehouse. Note that Guidehouse will never charge a fee or require a money transfer at any stage of the recruitment process and does not collect fees from educational institutions for participation in a recruitment event. Never provide your banking information to a third party purporting to need that information to proceed in the hiring process.

If any person or organization demands money related to a job opportunity with Guidehouse please report the matter to Guidehouses Ethics Hotline. If you want to check the validity of correspondence you have received please contact . Guidehouse is not responsible for losses incurred (monetary or otherwise) from an applicants dealings with unauthorized third parties.

Guidehouse does not accept unsolicited resumes through or from search firms or staffing agencies. All unsolicited resumes will be considered the property of Guidehouse and Guidehouse will not be obligated to pay a placement fee.