Staff Security Engineer - Product Security
Company: Zipline
Location: South San Francisco
Posted on: February 18, 2026
|
|
|
Job Description:
Job Description Job Description ABOUT ZIPLINE Zipline is at the
forefront of a logistics revolution: We design, manufacture, and
operate our own fleet of autonomous drones, and all ground-based
equipment that supports flight, to deliver critical and lifesaving
medicine to thousands of hospitals serving millions of people on
multiple continents. Our mission is to provide every human on Earth
with instant access to vital medical supplies. Do you want to
change the world? Join Zipline and help us make this a reality for
billions of people. ABOUT YOU AND THE ROLE Zipline builds and
operates fleets of delivery drones to get medicine to those who
need it, fast, regardless of where they live. To power this, the
software team is building out the long term scalable solutions to
expand rapidly while empowering our world class distribution
centers to serve their customers as fast as possible. Zipline's
security problems aren't "website got pwned" problems (though those
exist too). They're "real-world autonomy robotics global operations
cloud software regulated/health-adjacent workflows" problems.
You'll partner deeply with software, infrastructure, and (where
relevant) embedded/autonomy teams to reduce real risk in real
systems. We have a large attack surface Our ideal candidate works
well in startup environments, wears many hats, and collaborates
across engineering disciplines. You'll join a small, high-ownership
security team with significant influence over how we scale. A note
on our modern reality and agentic tooling: Engineering teams are
increasingly adopting LLM copilots and agentic tools to move
faster. That's useful, until an "assistant" becomes an unmonitored
automation path to secrets, sensitive data, or privileged actions.
(Think: "obedient intern with production credentials.") Industry
guidance is converging on practical frameworks like the NIST AI
Risk Management Framework (including a profile for generative AI)
and the OWASP Top 10 for LLM Applications, which explicitly calls
out risks like prompt injection, insecure plugin design, and
excessive agency. In this role, you'll help Zipline safely leverage
these tools while containing them so they don't quietly "rewrite
the threat model". This is a Hybrid onsite role - you will
frequently have conversations in person at our HQ in South San
Francisco. WHAT YOU'LL DO Own security outcomes for critical parts
of Zipline's application and cloud ecosystem (not by writing policy
docs that no one reads, but by shipping controls and enabling
teams). Partner with engineering teams on secure architecture,
threat modeling, and design reviews for services that must be
correct, reliable, and defensible under real-world operational
pressure. Help us build and scale a pragmatic secure SDLC – CI/CD
hardening, dependency/supply-chain controls, secrets management,
and code review patterns that don't slow teams down. Improve cloud
security posture end-to-end: IAM and least privilege,
network/service-to-service trust, key management,
logging/telemetry, runtime detection, and incident-ready
auditability. Drive vulnerability management that actually closes
risk: triage, exploitability analysis, remediation partnerships,
and verification. Help build and exercise incident response:
playbooks, tabletop exercises, logging requirements, and "know it
happened / know what changed" operational discipline. Support data
classification and access control models aligned to how Zipline
operates (including partner/customer interfaces and global
operations). Support external penetration tests and turn results
into durable improvements, not whack?a?mole patches. Contribute to
security compliance efforts (e.g., SOC 2 / ISO 27001) in a way that
strengthens engineering Secure AI-assisted and agentic engineering
workflows (this is explicitly part of the job): define safe
patterns for copilots/LLM tools used in development and ops
implement guardrails for sensitive data exposure and output
handling prevent "agentic overreach" (over?privileged tools, unsafe
tool-calling, silent action-taking) build monitoring/auditing
around AI tool use where it matters WHAT YOU'LL BRING 8 years of
experience designing, building, and operating security controls for
large-scale production systems (application, cloud, and
infrastructure security). Strong security engineering chops with
evidence you can reduce risk in production systems (not just talk
about it). Hands-on ability to write and ship code/tools in Python,
Go, or similar (you're expected to build, not just review).
Practical experience securing microservice architectures and modern
cloud stacks (containers/Kubernetes, IAM, CI/CD, secrets, logging).
Comfort operating as a technical leader without authority: you can
persuade, teach, and unblock - not police. A skeptical mindset: you
naturally ask "what's the failure mode?" and "how will this be
abused?" before shipping changes. Familiarity with the security
failure modes of LLM-enabled systems (or the willingness to learn
fast), including risks called out by OWASP such as prompt
injection, insecure output handling, insecure plugin design, and
excessive agency. NICE TO HAVES Experience spanning multiple
engineering domains (web app cloud infra
embedded/robotics/autonomy). Experience building developer-friendly
security platforms (internal libraries, paved roads, CI
integrations, Public Key Infrastructure). Track record of being an
effective security "evangelist" (i.e., enabling good behavior with
good tools and defaults, not fear). Experience designing guardrails
for internal AI/agent usage (policy technical controls auditing),
especially in environments where safety and reliability are
non-negotiable. Deep understanding of distributed systems and how
failures actually happen (partial outages, weird retries, cascading
dependencies, misconfigurations, permissions drift). WHAT ELSE YOU
NEED TO KNOW This will be an in-office or hybrid role based out of
our South San Francisco HQs. The starting cash range for this role
is $230,000 - $275,000; please note that this is a target, starting
cash range for a candidate who meets the minimum qualifications for
this role. We are always open to negotiation. The final cash pay
for this role will depend on a variety of factors, including a
specific candidate's experience, qualifications, skills, working
location, and projected impact. The total compensation package for
this role may also include: equity compensation; overtime pay;
discretionary annual or performance bonuses; sales incentives;
benefits such as medical, dental and vision insurance; paid time
off; and more. Zipline is an equal opportunity employer and
prohibits discrimination and harassment of any type without regard
to race, color, religion, age, sex, national origin, disability
status, genetics, protected veteran status, sexual orientation,
gender identity or expression, or any other characteristic
protected by federal, state or local laws or our own sensibilities.
We value diversity at Zipline and welcome applications from those
who are traditionally underrepresented in tech. If you like the
sound of this position but are not sure if you are the perfect fit,
please apply.
Keywords: Zipline, Novato , Staff Security Engineer - Product Security, IT / Software / Systems , South San Francisco, California
