Senior Information Security Engineer

MX is a fintech company on a mission to empower the world to be financially strong. We build technology that helps banks, credit unions, and fintechs deliver smarter, more intuitive financial experiences to millions of people.

Like many startups, we’ve navigated real growth challenges — and we’ve come out stronger on the other side. Today, MX is in a phase of renewed momentum and scale, with a solid foundation and a clear vision for what’s next. This is a place where thoughtful execution matters, innovation is encouraged, and individuals have real ownership over their work.

Our culture values curiosity, accountability, and impact. We give people the space to question assumptions, design better solutions, and help shape how the company grows. If you’re looking to do meaningful work, influence outcomes, and grow alongside a company that’s ready to move fast, you’ll feel at home at MX.

Role Overview

The Senior Security Engineer is a senior individual contributor role focused on being the primary hands-on builder, technical lead, and implementer of MX's security program. This position is designed for a self-starting technical lead with deep execution expertise in ubiquitous shift-left security, application protection, and automated risk reduction. In addition to the focus on shift-left security, this role will have Web Application and API Protection (WAAP) and Network Security focuses to drive widespread adoption of secure practices across engineering teams.

Reporting directly to the Director of Security Architecture and Engineering, and working closely with Cloud & Product Security Architecture to execute defined designs, the Senior Security Engineer leads the deployment, automation, and maturation of security controls at scale. They serve as the go-to technical expert for implementation, troubleshoot complex issues, mentor engineers organization-wide, and champion best practices to embed security deeply into infrastructure, platforms, and application workflows. This role influences Cloud Engineering, DevOps, Platform, Application Development, and Security Operations teams to operationalize secure-by-design principles while maintaining alignment with compliance and risk requirements.

Responsibilities

Application & API Security

• Serve as the primary hands-on builder for Fastly Next-Gen WAF (Signal Sciences) across all production environments to mitigate web-based attacks with low false positives.

• Lead the deployment and tuning of Cequence Unified API Protection for API discovery, behavioral abuse detection, and real-time runtime enforcement.

• Standardize API security patterns across the organization, ensuring deep visibility into shadow APIs and automated blocking of malicious traffic.

• Partner with application teams to integrate threat modeling and security requirements into the design phase of new features.

• Detect & Prevent credential-stuffing attacks ensuring Security Engineering is First-To-Know (FTK)

Enterprise CI/CD Security & Shift-Left Enforcement

• Implement and mature policy-as-code frameworks (OPA/Rego or equivalents) tied to organizational guardrails.

• Enforce strict CI/CD quality gates that block critical and high-severity vulnerabilities from reaching production using SAST/SCA tools like Snyk, Semgrep, or CodeQL.

• Drive integration of security scanning tools (IaC, containers, secrets, dependencies, SBOM) into CI/CD pipelines and evangelize shift-left practices to development teams.

• Train and enable engineers to build securely from the start, reducing misconfigurations at the source.

​

Web App & Api Protection (WAF & Firewall with IPS/IDS)

• Deploy and manage AWS Network Firewall & Suricata IPS/IDS rules (or similar e.g. PAN) as code through Terraform to protect ingress, egress, and east-west traffic.

• Implement and maintain advanced network security controls, including VPC Service Controls and hierarchical policies.

• Develop and tune detection rules for Network Security Services, partnering with SIEM owner; support threat hunting and incident investigations

​

Container & Kubernetes Security

• Implement and enforce security controls for Kubernetes clusters (EKS, GKE, or self-managed), including cluster hardening, admission controls, and network policies.

• Drive system hardening across container layers: secure base images, runtime protection (e.g., CrowdStrike), image signing/verification, and vulnerability management.

• Integrate container security scanning (image vulnerability, misconfiguration, SBOM) into build pipelines; enforce runtime protections and least-privilege for workloads.

• Develop and automate guardrails for Kubernetes configurations using tools like Crowdstrike, OPA/Gatekeeper or Kyverno to prevent insecure deployments.

​

Secrets Management & Secret Hygiene

• Enforce a strict "zero-secrets-in-code" policy through pre-merge blocking using tools like GitGuardian, TruffleHog, or Gitleaks.

• Lead the migration of legacy secrets to centralized stores such as HashiCorp Vault, AWS Secrets Manager, or Sealed Secrets.

Software Supply Chain Security

• Standardize SBOM (Software Bill of Materials) generation for all internal and third-party software artifacts.

• Implement the SLSA framework (or similar) to ensure the integrity of build pipelines and artifact provenance.

• Deploy artifact signing and verification using Sigstore/Cosign (or similar) to ensure only trusted code runs in production.

• Govern dependency usage to proactively block compromised or "typosquatted" packages from entering the ecosystem.

System & Host Hardening (CIS & Golden Images)

• Standardize the creation of "Golden Images" (AMIs/Base Images) based on CIS Benchmarks for all compute resources.

• Eliminate configuration drift by implementing automated remediation workflows for non-compliant hosts.

• Deploy and manage host-based security telemetry (CrowdStrike Falcon) across the entire fleet.

• Scale immutable infrastructure patterns that remove the need for manual system patching.

Cloud & Infrastructure Security

• Translate architectural designs into production-ready deployments using Terraform, automation, and repeatable processes.

• Lead deployment and management of CrowdStrike Falcon Complete (CSPM/CNAPP) for posture management, misconfiguration remediation, and drift detection.

• Enforce cloud governance standards through automated baselines, templates, and least-privilege controls across all accounts.

• Prototype and validate new controls or tools to accelerate organizational rollout.

• Deploy Just-In-Time (JIT) identity systems and enforce the principle of least privilege.

• Accomplish task-based, short-lived access, eliminating the need for standing privileges.

• Experience enforcing Principle of Least Privilege (PoLP) on non-human identities (NHI).

Qualifications

• 7+ years of progressive hands-on experience in application security, cloud security engineering, or DevSecOps at scale.

• Expert-level implementation experience with Fastly Next-Gen WAF (Signal Sciences) and Cequence Unified API Protection (or equivalent tools).

• Expert in Terraform for secure infrastructure-as-code; strong experience with policy-as-code (OPA/Rego).

• Deep hands-on expertise with CNAPP/CSPM platforms (CrowdStrike Horizon, Prisma Cloud) and cloud-native detection tools.

• Proven ability to operate in multi-cloud environments with a strong grasp of Zero Trust, identity, and secure workload patterns.

• Experience building and automating controls in regulated environments such as SOC 2, PCI DSS, or ISO 27001.

• Excellent communication and influence skills: able to teach, persuade, and enable engineers at all levels.

• Track record of mentoring others and driving adoption of best practices across organizations.

• Experienced Incident Responder with a proven history of leading security incidents such as those related to credential leaks or credential stuffing attacks from beginning to end.

What Success Looks Like

• Critical + High vulnerabilities are blocked at the PR stage, resulting in a measurable reduction in production security debt.

• Manual secrets are eliminated from all codebases and replaced with automated, rotated credentials.

• Security infrastructure is deployed entirely as code, with zero manual configuration drift in production environments.

• Engineering teams view security as an enabler, adopting "paved road" patterns that make the secure way the easiest way, reducing friction and toil.

At MX, we are a high-performance organization that thrives on trust and results. This role is based in Lehi, Utah. We believe in empowering our team members to deliver exceptional outcomes while taking advantage of our incredible office space when it best supports their work. Our Utah office features onsite perks such as company-paid meals, massage therapists, a sports simulator, gym, mother’s lounge, and meditation room and meaningful interactions with amazing people. We encourage team members to come together in the office to collaborate, kick off key projects, or strategize cross-functionally, fostering connection and innovation.

MX is proudly committed to recruiting and retaining a diverse and inclusive workforce. As an Equal Opportunity Employer, we never discriminate based on race, religion, color, national origin, gender (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, gender expression, age, military or veteran status, status as an individual with a disability, or other applicable legally protected characteristics. We particularly welcome applications from veterans and military spouses. All your information will be kept confidential according to EEO guidelines. You may request reasonable accommodations by sending an email to hr@mx.com.