Cambridge, MA Lead Cloud Security​/AppSec Engineer

About the Role

The Information Security team has strong detection and response capability and a maturing compliance program. This is a greenfield opportunity to build Flagship’s cloud security and application security engineering practice in earnest — with the CISO and Director of Security Engineering as your strategic partners and a well-resourced program behind you. You’ll define how cloud posture management, SSDLC security, and cloud-side DLP get done at Flagship — in deep partnership with the Infrastructure & Operations team, who are your primary counterparts for cloud architecture, network, and endpoint infrastructure.

What makes this role distinctive is the expectation that you’ll build AI-augmented workflows from the start — using LLMs and agentic tooling to handle the routine 80% so your expertise stays focused on the 20% that actually requires human judgment. If you want to own a practice area rather than execute someone else’s playbook, this is that role. You'll own the technical execution of cloud security and App Sec across Flagship and its portfolio, working directly with engineering teams to embed security into their pipelines, not just review them after the fact.

• Cloud security posture management: own remediation execution against Wiz findings in close partnership with Infrastructure & Operations — building shared remediation playbooks, coordinating finding resolution across AWS environments, and ensuring security controls are implemented consistently with I&O’s infrastructure standards
• CI/CD and SSDLC security: design and implement security guardrails in engineering pipelines — SAST, secrets scanning, IaC security, container scanning — working directly with portfolio engineering teams, and building AI-powered pipeline security automation (e.g., LLM-assisted code review, automated fix suggestions for SAST findings) that reduces developer friction and scales security coverage beyond what manual review allows
• Cloud-side DLP enforcement: build and operationalize data loss prevention controls at the cloud and application layer, not just policy definition
• Cloud identity and access: own technical execution on Entra/Azure AD conditional access, BYOD policy enforcement, and cloud identity governance in partnership with Infrastructure & Operations, who manage the underlying directory and endpoint infrastructure
• Detection engineering (cloud layer): write and tune cloud-side detection rules and contribute to alert fidelity improvements in partnership with the SOC
• AI platform security: contribute to security architecture reviews and guardrail design for AI-powered portfolio products, including Bedrock and EKS-based platforms
• Serve as the embedded security engineering partner for portfolio company engineering teams — not a reviewer at the end of the process, but a collaborator throughout it
• Design and maintain AI-augmented workflows across all functional areas you own — using LLMs, agentic tooling, and automation to multiply your own capacity. You'll be expected to treat AI as a core part of your engineering toolkit, not an experiment: building prompt-driven triage pipelines, automating remediation drafting, and continuously identifying where human judgment is the bottleneck versus where it's being wasted on pattern-matchable work.

• 5+ years in cloud security, application security, or a closely related security engineering discipline
• Deep hands‑on experience with AWS security services (Security Hub, Guard Duty, IAM, SCPs, Cloud Trail) and cloud posture tooling — Wiz experience strongly preferred
• Practical App Sec experience: you've integrated SAST/DAST/SCA tooling into CI/CD pipelines and worked directly with developers to resolve findings, not just filed tickets
• Experience with cloud identity platforms — Entra  / Azure AD, including conditional access policy design and enforcement
• Ability to write infrastructure-as-code and scripting to automate security controls (Python, Terraform, or equivalent), including comfort working with LLM APIs, prompt engineering, and agentic orchestration frameworks
• Demonstrated experience building AI-augmented security workflows —…