Senior Backend Engineer, Security

About Shelf

Shelf builds software that helps enterprises make AI work in the real world. That only works when our systems are secure, observable, and maintainable under real production pressure.

About the Role

This role is for a senior backend engineer who will focus full-time on security work.

We are not looking for a policy-only security person. We are looking for a hands-on engineer who can improve our security posture by changing real systems, fixing real problems, and following through until the work is fully implemented and maintained.

This role is embedded close to support and operational engineering, so it stays connected to real incidents, real customer impact, and real follow-through. The scope is broader than one team. You will work across the company’s engineering surface wherever security work needs to land.

What You Will Own

• Find and fix concrete security issues in production systems, not just identify them.
• Improve token lifecycle, revocation, auth flows, auditability, and access controls across backend systems.
• Reduce or eliminate security-sensitive data exposure in logs, events, traces, and internal tooling.
• Improve security detection, logging, and audit trails so incidents are easier to detect, investigate, and contain.
• Rotate secrets, reduce long-lived credentials, tighten access, and relentlessly follow through on overdue security hygiene work.
• Review security findings from scanners and assessments, separate signal from noise, fix valid issues quickly, and improve the underlying architecture where needed.
• Sweep broadly when necessary, including across many repositories and services, rather than stopping at local ownership boundaries.
• Contribute to AI-security and modern application-security work where relevant, including risks introduced by new AI initiatives.
• Write useful technical documentation, post-incident follow-ups, and implementation notes that help security work stay real after the first fix lands.

What Strong Performance Looks Like

• Security improvements actually land in production and stay maintained over time.
• Important follow-through work does not get dropped because it is tedious, cross-cutting, or spread across many repos.
• You can tell the difference between a theoretical issue and a real one, and you act with urgency when the risk is real.
• Incidents lead to better systems, tighter controls, and faster detection instead of only better wording in a document.
• Teams trust you because you improve security by doing the work, not by adding ceremony around it.

What We Are Looking For

• Strong senior-level backend engineering experience in production systems.
• Real hands-on experience implementing security improvements in code, infrastructure, or operational workflows.
• Experience with application-security topics such as auth, token handling, access control, audit trails, logging, secrets, vulnerability remediation, or incident follow-through.
• Strong debugging and investigative instincts. You can trace ugly real-world issues through code, logs, and system behavior.
• Comfort working across many services and repositories when the problem requires a broad sweep.
• Ability to go from problem statement to implementation to enforcement with real ownership.
• Clear written and verbal communication. You can explain risk, trade-offs, and follow-up work without hiding behind vague security language.
• AI-native working style. You already use AI tools in your daily engineering workflow and know how to verify their output.

Strong Plus

• Experience improving security posture after real incidents or near-miss events.
• Experience with AI-security, OWASP AI topics, or securing LLM-enabled systems.
• Experience improving queryability, logging, and forensic visibility for incident response.
• Experience moving systems from weak defaults to safer patterns such as stronger token handling or better credential models.

How We Evaluate Fit

We care more about implementati