Senior / Staff DevSecOps Engineer

About the role

America is under sustained cyber attack. Our adversaries infiltrate our networks, steal our IP, and degrade the digital infrastructure that modern life runs on. They've learned-correctly-that those attacks rarely produce consequences. Twenty was founded to change that, by making our adversaries think twice before they attack us. Our vision is American and allied primacy in cyberspace-a future where they cannot contest us, deterrence is assured, and the free world remains secure. Founded in 2024, Twenty Technologies ( www.twenty.io ) industrializes offensive cyber operations for the U.S. and its allies. Headquartered in Arlington, Virginia, Twenty has raised $38M from Caffeinated Capital, General Catalyst, and In-Q-Tel. Role Summary You'll build and own the security infrastructure that keeps Twenty's engineering systems safe without slowing engineers down. This role spans runtime security, access control, secrets management, compliance, and CI/CD hardening - but it's equally about making security the path of least resistance. You'll embed with our engineering teams, design secure-by-default foundations, and build the tooling and automation that lets developers move fast without cutting corners. You'll report directly to the VP of Engineering and operate as a shared function across our product teams.

Responsibilities

• Own runtime security and vulnerability management across cloud and container environments, including triage, prioritization, and remediation tracking.
• Design and enforce identity and access management (IAM) across AWS and internal systems - least-privilege by default.
• Own secrets and credentials management: policies, tooling, rotation, and developer workflows that make doing the right thing easy.
• Lead security incident response: detection, containment, root cause analysis, and durable remediation.
• Manage AWS Organization structure, account boundaries, SCPs, and guardrails.
• Harden and maintain CI/CD pipelines, embedding security scanning and policy enforcement into the software delivery lifecycle.
• Drive compliance efforts - own the evidence, controls, and remediation work to meet and maintain relevant frameworks.
• Build and maintain secure-by-default templates for repos, pipelines, and infrastructure modules.
• Reduce friction through automation: certificate issuance, secrets access, policy-as-code, and developer-facing tooling.
• Produce lightweight, practical security guidance that engineers actually use.
• Shape the direction of the DSO function as it scales, and contribute to hiring and team-building as we grow.

Requirements

• You believe security should be a force multiplier for engineering, not a gatekeeper.
• You take ownership end-to-end: from identifying a risk to designing the control to shipping the fix.
• You bring high judgment to tradeoffs - you know when to enforce hard controls and when friction kills adoption.
• You communicate clearly with both engineers and non-technical stakeholders, and you translate risk into plain language.
• You prefer automation over policy: if an engineer has to do something manually to stay secure, you see that as a bug.
• You hold a high bar for reliability and auditability in the systems you build.
• You're self-directed and thrive in an environment where the function is new and you're defining it.
• 8+ years in DevSecOps, platform security, or a closely related security engineering role.
• Deep hands-on experience with AWS - IAM, SCPs, Organizations, security services (GuardDuty, Security Hub, CloudTrail, etc.).
• Strong IaC experience with Terraform; you've used it to enforce security controls, not just provision infrastructure - and you've layered in policy-as-code tooling (e.g., OPA, Checkov, tfsec) or continuous compliance checks (e.g., AWS Config Rules) to catch drift and misconfigurations.
• Experience owning secrets management end-to-end in a production engineering environment.
• Proven track record designing and hardening CI/CD pipelines (we use GitHub Actions).
• Hands-on experience with container security, including image scanning and runtime controls.
• Experience leading or meaningfully contributing to a compliance program; CMMC Level 2 (or NIST SP 800-171) experience strongly preferred.
• You've run incident response - you've been on call, you've led the post-mortem, and you've shipped the fix.
• Strong communication skills and the ability to drive security adoption through enablement, not mandates.
• Experience growing a DSO or security engineering function - expanding scope, tooling, and team.
• Familiarity with observability tooling and using it for security signal (we use the LGTM stack).
• Background in configuration management tooling (Ansible or similar).
• Experience with developer-facing security platforms or internal tooling that improved engineering workflows.
• Interest in growing into a lead or manager role as the team scales.
• Tech Environment (You Might Work With)
• Cloud: AWS (primary), Terraform for Ia

Benefits

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at twenty? Share your experience