Are you a security engineer who thinks like an attacker but works like a builder. Someone who can find the flaw in an API design before it ships, write the tooling to catch the next one automatically, and partner with engineering teams to build more secure software end to end? Someone who can own the detection and response capabilities that keep infrastructure safe, and still show up sharp when an incident needs an expert hand? If so, we want to talk to you.
As a Staff Security Engineer at Apollo, you'll bring deep expertise across both application security and security operations to help us protect the products we build and the infrastructure we run them on. This is a high-impact, high-ownership role where you'll shape how we approach secure development, lead detection and response, and be a trusted partner to engineering teams building Apollo's API platform.
What you’ll do
- Partner with engineering teams to conduct threat modeling and security reviews on new features and architecture changes
- Establish and evolve Apollo's application security program including SAST/DAST tooling, dependency scanning, and secure coding standards
- Drive security requirements into the SDLC, embedding security gates into CI/CD pipelines
- Identify and remediate vulnerabilities in Apollo's products and APIs, with a focus on reducing systemic risk rather than one-off fixes
- Act as a security advisor for product teams building customer-facing features, particularly those involving authentication, authorization, and data handling
- Advance Apollo’s detection and response strategy in partnership with engineering and IT leadership
- Implement and maintain adherence to SOC 2 and other cloud security frameworks
- Handle escalations from Sales and Customer Success
- Build and tune monitoring, logging, and alerting systems to improve visibility while reducing noise
- Drive automation of SecOps workflows to speed up investigation and response
- Guide secure adoption of AI across Apollo - from internal use by engineers to AI-powered product features
- Participate in our on-call rotation (we keep this lightweight and reasonable)
Who you are
- Experienced in application security — familiar with OWASP, threat modeling, secure code review, and API security patterns
- Comfortable contributing to or reviewing code, and knows how to work with developers in ways that actually improve security culture (not just file findings)
- Has shipped developer-facing security tooling or guardrails — things engineers actually use
- Skilled at both cloud security controls (AWS, GCP) and application-layer security — understands the full stack from infrastructure up through the API and application layer
- Comfortable working directly with engineers to embed operational security practices into their workflows
- Strong communicator who can explain threats and mitigations clearly to both technical and non-technical audiences
- Excited about the intersection of AI and security, with ideas for how to safely harness AI while managing its risks
- Motivated by outcomes - not just solving incidents, but building resilient systems and reducing risk at scale
Minimum requirements
- 6+ years in security engineering, spanning both application security and security operations
- Strong foundation in AppSec: threat modeling, SAST/DAST, dependency management, secure SDLC practices
- Deep expertise with detection and response in cloud-native environments
- Experience building and automating security tooling (scripting/programming language, SIEM, SOAR, or AppSec tooling)
- Proven ability to partner with engineering teams to improve security posture with while minimizing the impact on delivery times
- Track record of influencing security culture across an engineering organization
- Strong knowledge of SOC 2, ISO 27001, or similar security frameworks
- Proven ability to lead or coordinate incident response across multiple teams
- Track record of influencing operational security culture and practices without direct authority
Nice to have
- Experience working with AI security - either in detection, incident response, or product security contexts
- Prior experience supporting enterprise customer audits or due diligence processes
- Familiarity with Terraform, Kubernetes, or other modern infrastructure stacks
- Hands-on experience with threat hunting and detection engineering
- Experience securing GraphQL APIs, federation, or API gateway patterns
- Familiarity with software supply chain security (SBOM, Sigstore, dependency auditing)
- Prior work on security champions programs or developer security education
About Apollo
Whether you binge-watch a series on Netflix, plan faraway vacations from your phone, or read international news online, you’ve likely used Apollo’s technology this week. Apollo supports some of the largest GraphQL platforms in the world.
We’re not looking to rest on our laurels though — we’re aiming to change how software is built. Apollo wants to empower every software team to build an amazing user experience across any number of clients, without dealing with a barrage of API endpoints.
Equal to all of that, Apollo is intent on becoming the company where you can see your career grow through challenging work, collaborating with incredible teammates, and accomplishing the unattainable.
