Apply on Employer Site

Zipline · 7 hours ago

Staff Security Engineer - Product Security

South San Francisco, California, USA

Full-time

Hybrid

Lead/Staff

$230K/yr - $275K/yr

8+ years exp

Zipline is at the forefront of a logistics revolution, delivering critical medical supplies using autonomous drones. The Staff Security Engineer will own security outcomes for Zipline's application and cloud ecosystem, partnering with engineering teams to enhance secure architecture and improve cloud security posture.

DeliveryDronesElectric VehicleHome Health CareLogisticsRoboticsSupply Chain Management

H1B Sponsor Likely

Responsibilities

Own security outcomes for critical parts of Zipline’s application and cloud ecosystem (not by writing policy docs that no one reads, but by shipping controls and enabling teams)

Partner with engineering teams on secure architecture, threat modeling, and design reviews for services that must be correct, reliable, and defensible under real-world operational pressure

Help us build and scale a pragmatic secure SDLC – CI/CD hardening, dependency/supply-chain controls, secrets management, and code review patterns that don’t slow teams down

Improve cloud security posture end-to-end: IAM and least privilege, network/service-to-service trust, key management, logging/telemetry, runtime detection, and incident-ready auditability

Drive vulnerability management that actually closes risk: triage, exploitability analysis, remediation partnerships, and verification

Help build and exercise incident response: playbooks, tabletop exercises, logging requirements, and 'know it happened / know what changed' operational discipline

Support data classification and access control models aligned to how Zipline operates (including partner/customer interfaces and global operations)

Support external penetration tests and turn results into durable improvements, not whack‑a‑mole patches

Contribute to security compliance efforts (e.g., SOC 2 / ISO 27001) in a way that strengthens engineering

Secure AI-assisted and agentic engineering workflows (this is explicitly part of the job):

Define safe patterns for copilots/LLM tools used in development and ops

Implement guardrails for sensitive data exposure and output handling

Prevent 'agentic overreach' (over‑privileged tools, unsafe tool-calling, silent action-taking)

Build monitoring/auditing around AI tool use where it matters

Qualification

Security engineeringCloud securityPythonMicroservice architectureCI/CD hardeningIncident responseVulnerability managementSkeptical mindsetSecurity complianceAI security patternsTechnical leadership

Required

8+ years of experience designing, building, and operating security controls for large-scale production systems (application, cloud, and infrastructure security)

Strong security engineering chops with evidence you can reduce risk in production systems (not just talk about it)

Hands-on ability to write and ship code/tools in Python, Go, or similar (you're expected to build, not just review)

Practical experience securing microservice architectures and modern cloud stacks (containers/Kubernetes, IAM, CI/CD, secrets, logging)

Comfort operating as a technical leader without authority: you can persuade, teach, and unblock - not police

A skeptical mindset: you naturally ask 'what's the failure mode?' and 'how will this be abused?' before shipping changes

Familiarity with the security failure modes of LLM-enabled systems (or the willingness to learn fast), including risks called out by OWASP such as prompt injection, insecure output handling, insecure plugin design, and excessive agency

Preferred

Experience spanning multiple engineering domains (web app + cloud infra + embedded/robotics/autonomy)

Experience building developer-friendly security platforms (internal libraries, paved roads, CI integrations, Public Key Infrastructure)

Track record of being an effective security 'evangelist' (i.e., enabling good behavior with good tools and defaults, not fear)

Experience designing guardrails for internal AI/agent usage (policy + technical controls + auditing), especially in environments where safety and reliability are non-negotiable

Deep understanding of distributed systems and how failures actually happen (partial outages, weird retries, cascading dependencies, misconfigurations, permissions drift)

Benefits

Equity compensation

Overtime pay

Discretionary annual or performance bonuses

Sales incentives

Benefits such as medical, dental and vision insurance

Paid time off

Company

Zipline

Glassdoor3.7

Zipline designs, manufactures, and operates drones to deliver vital medical products.

Founded in 2011

San Francisco, California, USA

1001-5000 employees

https://www.zipline.com/

H1B Sponsorship

Zipline has a track record of offering H1B sponsorships. Please note that this does not guarantee sponsorship for this specific role. Below presents additional info for your reference. (Data Powered by US Department of Labor)

Distribution of Different Job Fields Receiving Sponsorship

Represents job field similar to this job

Trends of Total Sponsorships

2025 (54)

2024 (39)

2023 (29)

2022 (20)

2021 (16)

2020 (3)

Funding

Current Stage

Late Stage

Total Funding

$1.92B

Key Investors

Tiger Global ManagementU.S. Department of StateScottish Mortgage Investment Trust

2026-01-21Series Unknown· $600M

2025-11-25Grant· $150M

2024-06-01Series G· $350M

Leadership Team

Keller Rinaudo Cliffton

Co-founder & CEO

Keenan Wyrobek

Founder, CTO and Product Architect

Recent News

GlobeNewswire

Zipline Surpasses 2 Million Deliveries, Raises More than $600M to Power Next Phase of Growth, and Expands Operations to Houston and Phoenix

2026-01-22

felicis.com

felicis portfolio

2025-12-26

Business Wire

Autonomous Last Mile Delivery Market Report 2025-2034, Featuring Major Manufacturers of Aerial Delivery Drones and Key Players in Ground Delivery Robots - ResearchAndMarkets.com

2025-11-07

Company data provided by crunchbase