Security Engineer - Product Security

About Zipline

Zipline is the world’s largest and most experienced drone delivery service. We deliver food, medicine, and essential goods worldwide with our autonomous logistics system, supporting critical supplies on four continents and completing millions of deliveries to date. Our mission is to serve all humans equally by ensuring access to health and consumer products anywhere, anytime.

As a member of Zipline’s security team, you will work closely with software, infrastructure, and embedded/autonomy teams to protect our autonomous delivery operations. You will own security outcomes for critical parts of our application and cloud ecosystem, design secure architectures, and help scale a pragmatic secure SDLC.

• Own security outcomes for critical parts of Zipline’s application and cloud ecosystem by shipping controls and enabling teams.
• Partner with engineering teams on secure architecture, threat modeling, and design reviews for services that must be correct, reliable, and defensible.
• Help build and scale a pragmatic secure SDLC—CI/CD hardening, dependency/supply‑chain controls, secrets management, and code review patterns.
• Improve cloud security posture end‑to‑end: IAM and least privilege, network/service‑to‑service trust, key management, logging/telemetry, runtime detection, and incident‑ready auditability.
• Drive vulnerability management that actually closes risk: triage, exploitability analysis, remediation partnerships, and verification.
• Help build and exercise incident response: playbooks, tabletop exercises, logging requirements, and operational discipline around incidents.
• Support data classification and access control models aligned to Zipline’s operations and global partners.
• Support external penetration tests and turn results into durable improvements.
• Contribute to security compliance efforts (e.g., SOC 2 / ISO 27001) to strengthen engineering.
• Secure AI‑assisted and agentic engineering workflows:
  • Define safe patterns for copilots/LLM tools used in development and ops.
  • Implement guardrails for sensitive data exposure and output handling.
  • Prevent agentic overreach and over‑privileged tool usage.
  • Build monitoring/auditing around AI tool use where it matters.

• 8+ years of experience designing, building, and operating security controls for large-scale production systems (application, cloud, and infrastructure security).
• Strong security engineering chops with evidence of reducing risk in production systems.
• Hands‑on ability to write and ship code/tools in Python, Go, or similar.
• Practical experience securing microservice architectures and modern cloud stacks (containers/Kubernetes, IAM, CI/CD, secrets, logging).
• Comfort operating as a technical leader without authority: persuade, teach, and unblock rather than police.
• A skeptical mindset: ask “what’s the failure mode?” before shipping changes.
• Familiarity with the security failure modes of LLM‑enabled systems or willingness to learn fast.

• Experience spanning multiple engineering domains (web app, cloud infra, embedded/robotics/autonomy).
• Experience building developer‑friendly security platforms and libraries.
• Track record of being an effective security evangelist.
• Experience designing guardrails for internal AI/agent usage (policy, technical controls, auditing).
• Deep understanding of distributed systems failures (partial outages, retries, cascading dependencies, misconfigurations, permissions drift).

This role is hybrid, based out of our South San Francisco HQs. The starting cash range is $230,000 – $275,000, with potential equity, bonuses, and benefits such as medical, dental, vision, and paid time off.

Zipline is an equal opportunity employer and prohibits discrimination or harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, veteran status, sexual orientation, gender identity, or any other characteristic protected by law.