Staff Security Engineer - Product Security

Confirmed live in the last 24 hours

Zipline

Compensation

$230,000 - $275,000/year

South San Francisco, California, USA

Hybrid

Posted April 23, 2026

Job Description

About Zipline

Zipline is the world’s largest and most experienced drone delivery service. We are on a mission to serve all humans equally by ensuring access to food, medicine and essential goods anytime, anywhere. We design, build, and operate the world’s largest autonomous logistics system, delivering critical supplies quickly and reliably. Today, Zipline operates on four continents, makes a delivery somewhere in the world every 30 seconds, and has completed millions of deliveries to date, including blood, vaccines, medical supplies, food, and retail products.

Our customers include the world’s largest and most prominent healthcare systems, governments, retailers, restaurants and global businesses who rely on us to save lives, reduce emissions, increase economic opportunity, and provide delivery from point A to point B as fast as possible. The drone is only 15% of what we’ve built to enable seamless, reliable, global operations.

Our system strengthens supply chains, reduces congestion, and gives people time back. With more than 140 million commercial autonomous miles safely flown, Zipline is redefining access to healthcare, consumer products, and food across the globe.

We operate at a global scale and are looking for practical problem solvers who thrive on real-world challenges and rapid growth. Our team is motivated by building systems that have a direct, meaningful impact on people’s lives and by scaling the future of logistics. We are seeking people who sculpt from first principles, enjoy facing adversity, and can do the impossible at record breaking speeds.

About You and The Role

Zipline builds and operates fleets of delivery drones to get medicine to those who need it, fast, regardless of where they live. To power this, the software team is building out the long term scalable solutions to expand rapidly while empowering our world class distribution centers to serve their customers as fast as possible.

Zipline’s security problems aren’t “website got pwned” problems (though those exist too). They’re “real-world autonomy + robotics + global operations + cloud software + regulated/health-adjacent workflows” problems. You’ll partner deeply with software, infrastructure, and (where relevant) embedded/autonomy teams to reduce real risk in real systems. We have a large attack surface

Our ideal candidate works well in startup environments, wears many hats, and collaborates across engineering disciplines. You’ll join a small, high-ownership security team with significant influence over how we scale.

A note on our modern reality and agentic tooling:

Engineering teams are increasingly adopting LLM copilots and agentic tools to move faster. That’s useful, until an “assistant” becomes an unmonitored automation path to secrets, sensitive data, or privileged actions. (Think: “obedient intern with production credentials.”) Industry guidance is converging on practical frameworks like the NIST AI Risk Management Framework (including a profile for generative AI) and the OWASP Top 10 for LLM Applications, which explicitly calls out risks like prompt injection, insecure plugin design, and excessive agency.

In this role, you’ll help Zipline safely leverage these tools while containing them so they don’t quietly “rewrite the threat model”.

This is a Hybrid onsite role - you will frequently have conversations in person at our HQ in South San Francisco.

What You'll Do

Own security outcomes for critical parts of Zipline’s application and cloud ecosystem (not by writing policy docs that no one reads, but by shipping controls and enabling teams).
Partner with engineering teams on secure architecture, threat modeling, and design reviews for services that must be correct, reliable, and defensible under real-world operational pressure.
Help us build and scale a pragmatic secure SDLC – CI/CD hardening, dependency/supply-chain controls, secrets management, and code review patterns that don’t slow teams down.
Improve cloud security posture end-to-end: IAM and least privilege, network/service-to-service trust, key management, logging/telemetry, runtime detection, and incident-ready auditability.
Drive vulnerability management that actually closes risk: triage, exploitability analysis, remediation partnerships, and verification.
Help build and exercise incident response: playbooks, tabletop exercises, logging requirements, and “