Staff Engineer Security

About Buildkite

Buildkite's mission is to unblock every developer on the planet. Our CI/CD platform is the infrastructure that teams at Uber, OpenAI, Shopify, Airbnb, and Canva rely on to ship software at scale. Not as a convenience tool — as critical infrastructure. The kind that can't go down, and can't be compromised.

We've been remote-first since 2013 — distributed across 60+ cities, built around async communication and genuine autonomy. Small team. High standards. Real ownership.

---

The Role

Hack Buildkite. Then fix it. Then hack through the fix. Rinse, repeat.

This is a new position on a small, high-trust Security team, created to expand our capabilities in two specific areas: Application Security and Adversarial Testing. If you're someone who wants to build these functions rather than inherit them, and get your hands into a technically complex environment from day one, this is the opportunity.

The scope for adversarial testing is the entire Buildkite environment — no guardrails on what you're allowed to probe, and plenty of interesting surface area to work with.

Buildkite is also investing heavily in AI, which creates an immediate opportunity to build and test AI-powered security systems from the ground up. It's an active area with real work to do, and you'd be shaping how Buildkite approaches it.

You'll report to the Head/Principal Security Engineer and work closely with the CTO, the Platform team, the Pipelines team, and the Office of CTO Principals. Security here operates as an enabling and educational function — not the team that says no. The expectation is that you'll collaborate across engineering, investigate under rocks, and help the rest of the company understand and improve its security posture rather than just gate it.

---

What You'll Own

• Lead Application Security testing projects — most likely AI-assisted — and drive remediation of identified vulnerabilities
• Design and run adversarial testing campaigns across the full Buildkite environment
• Build automation for both AppSec and adversarial testing workflows
• Contribute to AI security: implementing security controls on existing AI systems and evaluating AI-based security tooling
• Work across teams to embed security thinking into engineering, not bolt it on afterward
• Help shape Buildkite's security posture as the team grows and the roadmap matures

---

What Success Looks Like

6 Months

• Meaningful adversarial attacks run against Buildkite, with documented results
• AppSec vulnerabilities identified and remediated
• Automation built for both functions — not just processes documented

1 Year

• AI-driven real-time application vulnerability management in place
• Real-time adversarial testing, powered by AI, running continuously
• Security function is materially stronger than when you joined

---

What We're Looking For

Our ideal candidate possesses the following skills and experience.

Experience and Background

• 5–7 years in security roles with a genuine offensive or AppSec focus
• Industry-relevant certifications (OSCP or equivalent) — or equivalent demonstrated capability
• Experience securing AWS and cloud-native environments
• SaaS application security experience
• Ruby or Go (you don't need to be a senior engineer, but you need to be able to read, write, and reason about code)
• Kubernetes and containers experience

Bonus Points For

• Involvement in the hacking community — conferences, CTFs, published research, and responsible disclosure history
• Experience building security tooling from scratch rather than just operating existing stacks
• Hands-on work with AI systems from a security perspective
• Background at SaaS companies, all-remote companies, or engineering-focused organisations

---

Why Buildkite

• You're building Application Security and Adversarial Testing functions from scratch — this isn't a maintenance role
• The scope for impact is the entire Buildkite environment with no artificial limits
• Ground-floor opportunity on AI security at a company that's actively investing in it
• A leader who is transparent, collaborative, and enabling — focused on removing obstacles so you can do remarkable things
• Remote-first since 2013. Async culture, real flexibility, no performance theatre