Senior Security Engineer (Application & Cloud Security)

WHO WE ARE: MagicSchool is the premier generative AI platform for teachers. We're just over 2 years old, and more than 7 million teachers from all over the world have joined our platform. Join a top team at a fast growing company that is working towards real social impact. Make an account and try us out at our website and connect with our passionate community on our Wall of Love. Senior Security Engineer Role Description As Senior Security Engineer (Application & Cloud Security), you will serve as the primary security enabler for our Engineering, Product, and Design teams - building the practices, tooling, and trust that allow developers to move fast without introducing risk. You'll report directly to the Director of IT and play a critical role in protecting the systems educators and students rely on every day. MagicSchool is operating in a compliance-critical environment serving millions of educators and students. The security foundation is being actively built - not inherited - and this role is central to getting it right. Responsibilities In this role, you will be responsible for driving towards the following outcomes: • Secure Development Lifecycle & Vulnerability Management: Champion secure development practices including threat modeling, code reviews, and dependency monitoring. Lead the implementation and ongoing management of StackHawk and GitHub Advanced Security for automated scanning, triage emerging threats like compromised packages and zero-day disclosures, and build developer-friendly workflows that integrate security without sacrificing velocity. • Infrastructure & Architecture Security: Partner with IT and engineering leadership to maintain core security infrastructure - including firewall management, content filtering, and privilege access controls. Serve as a trusted security advisor in architecture conversations, helping teams design systems that are secure by default across AWS, Google Cloud, and on-prem environments. • Identity & Access Management: Own the end-to-end IAM security strategy across cloud (AWS, GCP), SaaS, and internal tooling - including identity lifecycle management, SSO/SAML/OIDC configuration, role-based and attribute-based access controls, and zero-trust access patterns. Partner with IT and engineering to enforce least-privilege principles, govern developer and service account access, and build scalable access review processes that hold up under SOC 2 scrutiny. • Red Teaming & Threat Assessment: Design and execute threat modeling exercises tailored to the unique attack surface of an AI-powered EdTech platform - including student data exposure, AI model misuse, and high-risk windows such as fundraising cycles. Plan and oversee red team assessments, either internally or through third-party partners. • Incident Response & Preparedness: Serve as first responder and on-call point of contact for security incidents. Own and evolve incident response playbooks, lead postmortems, and run internal enablement programs - including workshops and simulations - that build security awareness and readiness across engineering and staff. • Cross-Functional Alignment: Partner with IT and Compliance to support SOC 2, FERPA, and COPPA programs, and ensure engineering efforts stay aligned with our regulatory commitments. Qualifications/Competencies/Skills To be successful in this role, you ll bring the following skills and competencies: • Security Expertise & Tooling: Hands-on experience with SAST, DAST, and SCA tooling - ideally including StackHawk and GitHub Advanced Security - and cloud-native security within AWS and/or Google Cloud. Prior involvement in offensive security or red teaming. • Threat Modeling & Architecture: Strong experience conducting or facilitating threat modeling using formal frameworks (e.g., STRIDE, PASTA) or lightweight iterative approaches. Comfortable serving as a security advisor in live architecture conversations. • Technical Depth & Developer Partnership: You work directly inside engineering teams - through pull request feedback, pair programming, architecture reviews, and daily Slack presence - embedding security into the development workflow rather than reviewing it after the fact. You're a hands-on technical contributor first, and you measure success by the security improvements shipping in code. • AI Application Security: Experience securing LLM-integrated or AI-powered products, with an understanding of the unique threat surfaces they introduce. • Communication & Influence: Ability to translate complex security topics for both technical and non-technical stakeholders. Skilled at building cross-functional trust and coaching engineers on security principles without compromising developer velocity. Experience To be successful in this role, you ll bring the following experience and qualifications: • At least 5 years of experience in application or cloud security, with a track record of advancing security practices in fast-paced engineering e...