Staff Security Engineer

About Pantheon

Pantheon WebOps Platform powers the open web, running more than 300,000 sites in the cloud for customers including Google, Princeton, Salesloft and Doctors Without Borders. Every day, thousands of developers and marketers create, iterate, and scale WordPress and Drupal sites to reach billions of people globally. Pantheon’s multitenant, container-based platform enables organizations to manage all of their websites from a single dashboard. Organizations including Clorox and the United Nations drive results through accelerated development and real-time publishing using Pantheon’s collaborative workflows.

The Role 

Pantheon’s Security Engineering team is responsible for safeguarding, auditing, and testing the security of Pantheon's entire platform. Our Security Engineering team aims to create a comprehensive and multi-dimensional approach to application security, with a focus on Security by Design in agile software development and cloud native environments, with deep expertise in securing Google Cloud Platform (GCP) workloads at scale.

We are seeking a passionate, driven, and experienced application security engineer to join our growing team. The Staff Security Engineer is a key strategic and technical role within the Application Security team. This is an engineering-first role: we measure impact by what you build and what teams adopt, not by tickets closed or alerts triaged.

Our mission is to safeguard, audit, and test the security of the entire cloud hosting platform in these core areas:

• Security by Design: Implement “Security by Design” within agile software development and cloud-native environments, with a primary focus on GCP-native security architecture, IAM design, and workload protection.
• Support and Mentorship: Act as a Subject Matter Experts (SMEs), mentoring, coaching, and supporting all security engineering efforts across the organization.
• Standard Setting: Define, organize, and implement application security policy, process, standards, and guidelines.
• Application Security Performance: Helping engineering teams design and build high-performing, secure applications by mitigating security issues in a risk-based manner.

What You Will Do

• GCP Security Architecture: Design and implement security primitives across GCP including org policy hierarchies, VPC Service Controls perimeter design, Workload Identity Federation, CMEK key management strategy, and Secret Manager governance  ensuring secure-by-default infrastructure across all engineering teams.
• Policy Definition: Define, document, and champion processes and practices for a secure Software Development Life Cycle (SDLC).
• Security Culture: Be a driving force in establishing a strong security culture within platform engineering teams.
• Proactive Security: Lead Threat Modeling as a core principle for the Secure by Design strategy with particular focus on GCP-hosted, container-based, multi-tenant architectures. Design and enforce trust boundaries across GCP service and host project structures.
• Secure Design Reviews: Conduct Secure Code and Architecture Design Reviews, including threat modeling and technology/risk-based assessments.

• Automation: Automate application security testing and controls, integrating them directly into the CI/CD pipelines.
• Tooling: Own the deployment, operation, and tuning of security tools (SAST, DAST, IAST, and CSPM), with a focus on platforms like CodeQL and Wiz.io including deep integration with GCP Security Command Center (SCC) and Binary Authorization for container workload protection.
• Vulnerability Management: Partner with engineering to effectively prioritize and remediate identified vulnerabilities.
• Supply Chain & Testing: Own the software supply chain security program, including SCA tooling, Artifact Registry vulnerability scanning, and Binary Authorization policy enforcement across GCP. Coordinate with the Security Operations team on