SecOps Engineer

Why Duro?

Duro is building the GitHub for Hardware teams. As now a part of the Altium product portfolio, we’re revolutionizing Product Lifecycle Management (PLM) for companies in space tech, robotics, IoT, and commercial manufacturing. Our platform empowers hardware teams to move with agility, make timely decisions, and build disruptive products.

Our culture is built on: Trust, Autonomy, Experimentation, and Empathy. We deploy daily. We run 3-week cycles (2 weeks building + 1 week polish). We’re Linear stans, leveraging their AI agents to automate bug discovery and fixes. We measure everything through PostHog—feature flags, session replays, and product analytics all in one.

About the role: 

Duro’s customers build satellites, drones, defense systems, and critical infrastructure. They operate under some of the most demanding security and compliance frameworks in the world—and they expect their PLM platform to meet them where they are. This role exists to make sure we do.

As SecOps, you’ll be the single point of authority for security and compliance across Duro. This is not a back-office compliance role. You’ll be customer-facing—fielding tough questions from security teams at defense contractors, government agencies, and aerospace companies who believe they know the standards as well as you do. Your job is to know them better. To understand not just what the controls require, but why they exist, how they’ve evolved, and how Duro’s architecture satisfies them.

You’ll own our compliance posture across SOC 2, NIST 800-171, NIST 800-53, CMMC, FedRAMP, ITAR, and GDPR. You’ll manage our evidence locker in SecureFrame, work with DevOps on infrastructure security in AWS GovCloud, coordinate with vendors, and represent Duro and Altium as a trusted security authority in every customer conversation.

 A day in the life of our SecOps Engineer:

• Review and respond to customer security questionnaires, vendor assessments, and RFP security sections—often from defense, aerospace, and government customers with deep domain knowledge and high expectations
• Join customer calls as Duro’s security authority—fielding technical questions on data handling, encryption, access controls, and compliance posture, and confidently addressing pushback with precise knowledge of the standards
• Maintain and evolve our compliance programs across SOC 2 Type II, NIST 800-171, NIST 800-53, CMMC, FedRAMP, ITAR, and GDPR—not as a checkbox exercise, but as a living practice that adapts as frameworks evolve
• Manage our evidence locker in SecureFrame—ensuring continuous readiness for audits, mapping controls to evidence, and keeping documentation current as our product and infrastructure change
• Collaborate with DevOps on infrastructure security decisions: encryption at rest and in transit, network segmentation, access management, logging, and monitoring across AWS and GovCloud environments
• Own the classification and handling of sensitive data—PII, CUI, ITAR-controlled technical data—ensuring our policies, systems, and team practices align with regulatory requirements
• Evaluate and manage security vendors and third-party tools, reviewing SOC 2 reports, conducting risk assessments, and ensuring our supply chain meets the same standards we hold ourselves to
• Drive security awareness across the organization—training engineering teams on secure development practices, data handling policies, and incident response procedures
• Lead incident response planning and execution, including tabletop exercises, post-incident reviews, and continuous improvement of our response playbooks
• Delegate and coordinate across teams—you’re not doing everything yourself, but you’re accountable for ensuring it gets done right, whether that’s a DevOps engineer implementing a control or a product manager understanding an ITAR restriction

Who We’re Looking For:

• 10+ years of experience in information security, security operations, or compliance—with direct experience in defense, aerospace, or government-adjacent industries
• Deep, expert-level knowledge of SOC 2, NIST 800-171/800-53, CMMC, FedRAMP, ITAR, and GDPR—not just the controls, but the intent behind them and how they’ve evolved
• Hands-on experience with compliance platforms like SecureFrame, Vanta, or Drata—including evidence management, continuous monitoring, and audit preparation
• Strong understanding of cloud infrastructure security—particularly AWS and GovCloud environments, encryption at rest and in transit, IAM, VPC design, and logging/monitoring
• Experience with data classification and handling—PII, CUI, ITAR-controlled data—and the ability to translate regulatory requirements into practical engineering guidance
• Exceptional communication skills—you can explain a NIST control to a C-suite executive, defend your compliance posture to a DoD security auditor, and help an engineer understand why a particular data flow needs to change
• A customer-facing presence—you’re comfortable in high-stakes conversations where customers challenge your security posture, and you respond with authority, precision, and patience
• Ability to delegate and coordinate across engineering, DevOps, product, and external vendors—you own the outcomes, but you build through others

How We Think About Security

Security at Duro isn’t a department—it’s a commitment that runs through everything we build. Our customers trust us with their most sensitive product data: designs for defense systems, satellite components, and critical infrastructure. That trust is earned through competence, transparency, and rigor.

We use AI extensively in how we build software—every engineer runs Claude Code as their primary development environment. As our security leader, you’ll help define the guardrails for how AI is used responsibly within our development workflows, ensuring that our velocity never comes at the expense of our security posture.

We don’t want someone who recites frameworks. We want someone who understands the threat landscape our customers operate in, can anticipate where the standards are headed, and builds a security practice that stays ahead of both.

Nice to Have

• Relevant certifications: CISSP, CISM, CISA, CompTIA Security+, or CMMC Registered Practitioner (RP)
• Experience with PLM, PDM, or hardware/manufacturing industry software
• Background in achieving or maintaining FedRAMP authorization
• Experience building a security program from the ground up at a startup or mid-size company
• Familiarity with secure software development lifecycle (SSDLC) practices
• Experience with penetration testing coordination and remediation management
• Knowledge of export control regulations beyond ITAR (EAR, OFAC)

The salary range for this role is  $190,000 to $230,000 annually. Actual compensation packages within this range are based on a wide array of factors unique to each candidate and role requirements, including but not limited to skill set, years and depth of experience, certifications, and specific location.

Our Benefits

• 🏥 Medical, Dental, Vision Plans and HSA and FSA accounts
• ❤️ Basic Life and AD&D insurance; disability coverage where applicable  
• 🌅 Retirement 401(k) Plan Option with Altium match
• 🧘 Employee Assistance Program
• 🏖 Paid holidays plus a “Choice Day” off per quarter      
• ✈️ Paid time-off on arising schedule upon key milestones
• 🤒 Sick time for Dr. appointments or family health needs  
• 👶 Family medical, maternity, paternity, and military leave
• 🏡 Flexible working arrangements available based on role and location
• 🥳 Employee referral program  
• 🌍 Remote working abroad program
• 📚 Professional development support and resources
• 🥪 Free lunch, snacks, and drinks in the office
• 🚗 Free parking