Application Security Engineer (Infosec & GRC)

About Bureau

digital fraud and mistrust.

Bureau

In just a few years, our knowledge graph has grown to 1 billion+ verified identities globally. Backed by by Sorenson Capital, Blume, and PayPal Ventures, Bureau is not just scaling fast; we're shaping the future of digital trust.

About the Role - Application Security Engineer

We are looking for a Security Engineer who can own both the hands-on technical security stack and our governance/compliance programs.

What you'll be doing

In this role, you will:

• Harden and monitor our

  cloud & container infrastructure

  (AWS/EKS, endpoints, network).
• Run

  vulnerability management, security tooling and incident response

  .
• Help maintain our

  ISMS

  and support audits (ISO 27001, SOC 2, RBI, DPDP, etc.).

security engineering + GRC

1. Cloud & Infrastructure Security (Hands-on)

• Work with DevOps to secure our

  AWS/EKS

  environment:
• IAM hardening, security groups, VPC, KMS, S3, RDS, etc.
• Review infra-as-code (Terraform/Helm) for security issues and misconfigurations.
• Own or co-own key security tools:
• Endpoint / EDR (e.g., CrowdStrike / SentinelOne),
• Cloud security (CSPM / CNAPP, GuardDuty, Security Hub, WAF, etc.),
• Container / runtime security where applicable.
• Implement and maintain

  logging & monitoring

  for security events (CloudTrail, ALB/NLB logs, K8s logs, etc.), and integrate them with SIEM / alerting.

2. Vulnerability Management & Security Operations

• Own the

  vulnerability management lifecycle

  :
• Run periodic scans for cloud, endpoints, containers and apps.
• Triage findings, prioritise based on risk, and drive closure with engineering.
• Coordinate external

  pentests / bug bounties

  and track remediation.
• Support

  incident response

  :
• Help investigate alerts, gather evidence, and contribute to RCA and CAPA.
• Maintain and update incident runbooks.

3. Governance, Risk & Compliance (ISMS, Audits, DPDP)

• Maintain and enhance the

  Information Security Management System (ISMS)

  :
• Policies, procedures, SoA, risk register, control evidence and audit trails.
• Support internal and external audits:

  ISO 27001, SOC 2, RBI/CERT-In, Data Protection

  .
• Prepare and manage

  audit evidence

  , observations, closure reports and certification documentation.
• Assist with

  risk assessments

  :
• Maintain the risk register, risk treatment plans and residual risk reviews.
• Conduct vendor security due diligence and maintain vendor security records (MSA, NDA, DPA, DPIA, etc.).
• Support

  privacy & regulatory compliance

  operations (GDPR/DPDP basics: retention, consent, grievance logging).

4. Access, Asset & Control Assurance

• Participate in and help automate

  access reviews

  , asset inventory checks, and configuration compliance checks.
• Track

  control performance

  (vuln SLAs, access reviews, backup tests, etc.) and ensure gaps are documented and closed.
• Maintain

  security awareness and training

  trackers (onboarding, annual refreshers, phishing simulations).

What You'll Bring

• Bachelor's degree in Computer Science, IT, Cybersecurity or related discipline.

• 24 years

  of experience in

  security engineering, cloud security, or GRC/compliance

  (any mix, but must be comfortable hands-on).
• Good understanding of:

• Security engineering fundamentals

  : Linux, networking, IAM, encryption, least privilege.

• Cloud platforms

  (AWS preferred; GCP/Azure a plus) and their security services.
• Core frameworks:

  ISO 27001, SOC 2

  , basic risk management and audit lifecycle.
• Comfortable with:
• Writing/debugging basic scripts (Bash/Python) for automation and data extraction.
• Tools like

  Jira, Confluence, Excel/Sheets

  and at least one GRC / security platform (e.g., Scrut/Drata/Secureframe, etc.).
• Strong

  documentation skills

  and ability to talk to both engineers and non-technical stakeholders.

Preferred (Good to Have) / Willing to Learn

• Cloud security certifications (e.g.,

  AWS Security / AWS Cloud Practitioner

  ).
• ISO 27001:2022 Lead Auditor/Implementer, CompTIA Security+, ISC2 CC.
• Experience with:
• EDR/XDR tools,
• CSPM/CNAPP (e.g., Wiz, Prisma, Defender for Cloud),
• SIEM, WAF, runtime/container security (Falco, etc.).
• Exposure to

  GDPR/DPDP

  or other data protection regimes.

Who You Are

• You enjoy

  both

  :
• Getting your hands dirty in logs, configs and cloud consoles,

  and

• Keeping things clean in policies, risk registers and audit trackers.
• You're

  structured and process-oriented

  , but still pragmatic and capable of shipping improvements.
• You're comfortable collaborating with

  DevOps, backend, data, HR and legal

  to get security actually implemented, not just written down.
• You want to grow into either

  Security Engineering leadership

  (owning tools/architecture) or

  GRC leadership

  (owning audits and certifications) over the next few years.

What Working at Bureau Looks Like

At Bureau, work is about building something meaningful, together. Some days it's brainstorming around a whiteboard, other times it's an idea sparked over chai or in a hallway chat. We move fast, give ownership to those closest to the problem, and turn ideas into action quickly.

Our values shape how we work and win together. We believe in Teamwork and Respect that build strong collaborations, Urgency that keeps us close to customer needs, and a Solution Mindset that drives innovation. With Transparency at the core, we strive for Excellence in everything we do and bring relentless Drive to achieve impactful outcomes. This is what working at Bureau looks like - fast, focused, and built on trust.

Flexibility is built into how we work, helping you balance deep focus with collaboration. Learning never stops: through books, courses, and knowledge-sharing. And well-being matters too, with healthcare for you and your family.

Here, you don't just build products that protect millions - you build trust, grow your skills, and work with people who've got your back.

Why Join Bureau

real global impact

• Work with purpose

  : Build tools that reduce fraud, expand access to credit, and protect people from digital harm.

• Cutting-edge tech

  : Solve problems using AI, risk intelligence, and graph-based systems at global scale.

• Massive scale, real-world impact

  : Your work will directly contribute to protecting millions of people and businesses worldwide.

• Room to grow

  : Join a company scaling 4x YoY, where ownership and bold ideas are rewarded.

• Culture that empowers

  : Flexible work hours, fast-paced environment, and a team that values speed and innovation.

• Life at Bureau:

  From offsites and team outings to Friday snacks and friendly table tennis rivalries, we make sure there's energy, fun, and connection beyond work.