NEW runnerly v3.2, self-hosted GitHub runners with FedRAMP boundary support
Security, Remote US Posted Apr 28, 2026

Staff Security Engineer, Federal.

FedRAMP, FISMA, IL5-adjacent. You can write threat models and the OPA policies that enforce them. You want to do federal work without becoming a binder factory.

About the role

You'll be the second senior security engineer on the federal practice. Most of your time goes to one anchor federal cloud program; the rest is on the open-source toolkit (secret scanning, SOC monitor, control automation) and on commercial security work for our regulated-fintech clients.

This is engineering, not advisory. You'll write the controls and the Terraform that enforces them. We will not ask you to maintain a Word document of evidence.

What you'll do

  • Map NIST 800-53, 800-171, and CIS controls to running infrastructure. Where the mapping is hand-wavy, write the IaC that closes the gap.
  • Lead threat modeling for new client systems. STRIDE or LINDDUN, your choice; the artifact has to be queryable.
  • Improve the open-source secret-scanning and SOC-monitor projects. Triage CVEs, ship patches.
  • Run security reviews of platform and software work. Block bad designs early, not at the audit.
  • Drive incident response for security events. Postmortems with named action items.

Who you are

  • 7+ years in security engineering, including time on a regulated workload (FedRAMP, IL4 or IL5, PCI, HIPAA).
  • Comfortable in Python or Go and at least one IaC tool (Terraform preferred).
  • Fluent in cloud security primitives: IAM, KMS, network segmentation, secret management, audit logging.
  • You can read 800-53 controls and translate them to Terraform without flinching.
  • US-based, eligible to work without sponsorship. Active or eligible for clearance preferred.

Bonus, not required

  • Experience with FedRAMP 3PAO or sponsor-side audits.
  • OPA, Conftest, or Kyverno policy authoring at scale.
  • SBOM, image signing (Sigstore, Cosign), or supply-chain attestation work.
  • You've written publicly about security engineering. Even a single good post counts.

Interview process

  1. Application, resume + GitHub + paragraph. ~10 minutes for you, 30 for us.
  2. Engineering chat, 60 min, paired on a real threat-model walkthrough.
  3. Take-home, paid, ~6 hours, on our public security toolkit. You submit a PR.
  4. Team day, 4 hours: design review, control-mapping exercise, peer Q&A.
  5. Offer, within 48 hours of team day.

We pay for step 3 at $175/hr. If you turn down the offer, you keep the work and the payment.

Compensation & benefits

Salary band $210,000 to $260,000, plus 0.10 to 0.20% equity. We share comp ranges in the job ad because making you guess is an asshole move.

  • Platinum medical, dental, vision, 100% premium covered for you
  • 5 weeks PTO, 13 federal holidays, end-of-year shutdown
  • Federal-clearance maintenance support if applicable
  • $2,500 home-office sign-on, $750/yr maintenance
  • $5,000/yr learning and certifications budget
  • 10% open-source time
Apply for this role Other open roles
Questions before applying?

Email jobs@caelicode.com.

A senior engineer answers within two business days. No SDR, no recruiter chain.