Security Engineer

THE ROLE

This is Flox’s first dedicated security hire. You’ll work directly with engineering leadership to stand up security practices that are pragmatic, developer-friendly, and right-sized for a company at our stage. The role is heavily weighted toward doing—you’ll be the one deploying tools, configuring controls, hardening infrastructure, and closing gaps, not just advising others to do so.

That said, you’ll have real input into how we think about controls, priorities, and our security roadmap as we grow. And because our product sits at the heart of the software supply chain—managing dependencies, environments, and build artifacts for some of the world’s largest engineering teams—security isn’t peripheral here. It’s core to the value we deliver.

If you want to build something from scratch, own it end-to-end, and have your work matter immediately, this is that job. If you want a large team, an existing program to slot into, or mostly governance work, it probably isn’t.

WHAT YOU’LL DO

Detection, Monitoring & Response

- Help evaluate whether to stand up an internal SIEM or work with an outsourced SOC provider—then implement whichever path makes sense for where we are as a company. If building internally: deploy and configure the SIEM, write and tune detection rules, and own the alerting stack. If outsourcing: manage the SOC relationship, define what gets escalated and how, and ensure we’re getting signal not just noise

- Build incident response runbooks and triage workflows—then actually test them (e.g. test backups in case needed for ransomware recovery)

- Be the person who sees something and does something about it

Cloud & Infrastructure Security (AWS + Cloudflare)

- Scan and harden our AWS posture hands-on: IAM policies, SCPs, security group hygiene, GuardDuty, Security Hub, and automated compliance guardrails need to be evaluated and maintained

- Own Cloudflare configuration across WAF rules, DDoS protection, bot management, Zero Trust access, an...