We’re looking for a Staff Security Engineer to join Procore’s Security Engineering team. In this role, you’ll be a key technical leader responsible for designing and implementing foundational security controls that protect our platform, data, and users. Your primary goal is to drive the implementation of a secure, scalable, and resilient cloud product and infrastructure by default.

As a Staff Security Engineer, you’ll partner with Product & Technology, IT, Security Operations, and GRC to embed security into the development lifecycle. Use your deep expertise in cloud architecture, data protection, and identity and access management to design and implement robust, automated security guardrails across our SaaS ecosystem. This is a high-impact opportunity to solve complex security challenges and protect the data of millions of users—Apply today.

This position reports into the Senior Director, Security Engineering and will be based in our Austin, TX office. We’re looking for someone to join us immediately.

What you’ll do:

• Design and implement scalable IAM guardrails for cloud (AWS/GCP/Azure) and corporate (Okta) environments, including identity governance, PAM, and service-to-service authentication.

• Mentor other engineers and help scale security knowledge across the organization.

• Lead the evaluation and implementation of new security technologies and platforms from proof-of-concept to production.

• Design the long-term application security strategy and roadmap (e.g., Zero Trust architecture for apps).

• Solve entire classes of vulnerabilities permanently by re-architecting frameworks or platforms.

• Lead critical incident response efforts for product security breaches.

• Design and build automated pipelines for authoritative asset inventory and Software Bill of Materials (SBOM) generation.

• Drive the technical roadmap for data protection, including key management (KMS), encryption-at-rest/in-transit, and tokenization.

• Build and implement secure-by-default configurations for our containerized (Kubernetes, EKS) and IaC (Terraform) workflows.

• Partner with Product  & Technology teams to engineer technical resilience patterns, auto-healing systems, and verifiable disaster recovery capabilities.

• Act as a senior technical expert to provide authoritative context on security controls and designs to our GRC and Internal Audit teams.

• Provide on-call support on a rotational basis.

What we’re looking for:

• Bachelor's degree in Computer Science or equivalent practical experience.

• 6+ years of experience in a hands-on technical security role, with at least 3 years focused on cloud security in a large-scale SaaS environment.

• Deep expertise in multiple security domains including product/application security, IAM, IaaS, network, etc.

• Deep expertise with at least one major cloud provider (AWS preferred) and its security services (IAM, KMS, Security Hub, GuardDuty).

• Strong experience with identity and access management platforms platforms (IdP, IGA, PAM),  joiner-mover-leaver (JML) mechanisms, and concepts (SAML, OAuth 2.0, OIDC, SCIM).

• Proven experience building security guardrails for IaC (Terraform preferred), CI/CD pipelines, and container orchestration (Kubernetes).

• Ability to influence engineering leadership and drive cultural change (shifting security left).

• Experience writing custom security tooling or rules engines (e.g., CodeQL custom rules) to scale detection

• Strong understanding of data protection principles, including encryption, key management, tokenization, and data loss prevention (DLP).

• A "builder" mindset with a passion for automation (Python, Go, or similar) and shipping solutions as code.

• Excellent communication skills with the ability to translate complex technical concepts for technical and non-technical stakeholders.

Additional Information

Base Pay Range:

This role may also eligible for Equity Compensation. Procore is committed to offering competitive, fair, and commensurate compensation, and has provided an estimated pay range for this role. Actual compensation will be based on a candidate’s job-related skills, experience, education or training, and location.

This position requires access to technology, software, and data that is controlled or restricted under U.S. law, regulation, executive order, or government contract.

For Los Angeles County (unincorporated) Candidates:

Procore will consider for employment all qualified applicants, including those with arrest or conviction records, in accordance with the requirements of applicable federal, state, and local laws, including the City of Los Angeles’ Fair Chance Initiative for Hiring Ordinance, the Los Angeles County Fair Chance Ordinance for Employers, and the California Fair Chance Act.

A criminal history may have a direct, adverse, and negative relationship on the following job duties, potentially resulting in the withdrawal of the conditional offer of employment: 1. appropriately managing, accessing, and handling confidential information including proprietary and trade secret information, as well as accessing Procore's information technology systems and platforms; 2. interacting with and occasionally having unsupervised contact with internal/external customers, stakeholders, and/or colleagues; and 3. exercising sound judgment.