What are the responsibilities and job description for the Director of Product & Engineering position at Subject7?
Subject7 is a scriptless, enterprise test automation platform serving regulated industries — federal agencies, financial institutions, healthcare, and life sciences. Our customers run in environments where test evidence, auditability, and deployment discipline are not optional. We operate across AWS (US and EU), support FedRAMP-aligned deployments, and manage a distributed architecture including cloud executor orchestration, identity management, and message-based service communication.
We are a small, high-impact team. We own both what we build and how well we build it.
Why This Role Exists
Subject7 has reached a stage where product direction and engineering execution can no longer be managed as separate functions. We need a single leader who:
· Owns the product roadmap and can articulate what we’re building and why to customers, prospects, and the board.
· Has enough engineering depth to know when root cause analysis is wrong, when a deployment process has gaps, and when the team is shipping risk instead of software.
· Can institute engineering discipline — change management, deployment gates, incident response, and post-mortem rigor — in a regulated-customer environment.
· Can manage and develop engineering talent, set quality standards, and create accountability without micromanaging.
This is the person who owns both functions and is accountable for the intersection of product quality, engineering execution, and customer trust.
Product: - A mature platform (10 years): web, API, database, mobile, desktop, and performance test automation in a single scriptless tool. - Three strategic product priorities: FedRAMP Moderate certification, performance/load testing as a sellable product, and security testing as a product. - A customer base in regulated industries (federal civilian, financial services, pharma/life sciences) that demands auditable test execution. - Enterprise Connect (site-to-site VPN) deployments for high-security customers.
Engineering: - A distributed architecture: Proof (core platform), Hera (IAM), Hydra (cloud executor orchestration), Xpoint (headless executors), Worker services, Config Server, Storage Service, ML-Worker (self-healing locators). - Java 17, Spring Boot, PostgreSQL, ActiveMQ/JMS, AWS (EC2, RDS, S3), Docker, GitLab CI/CD. - A team that ships biweekly releases to production, managing both SaaS and on-premise deployments. - Gaps in: deployment change management, root cause analysis rigor, infrastructure change tracking, cross-service compatibility testing, and incident post-mortem quality.
· Own the product roadmap end-to-end: FedRAMP certification, performance/load testing commercialization, security testing productization, and platform evolution.
· Define product requirements that account for compliance constraints (NIST 800-53, SOC 2, FDA 21 CFR Part 11, Section 508) — not as afterthoughts but as first-class product dimensions.
· Own customer-facing communication for product direction, incident RCAs, and release impact.
· Drive go-to-market collaboration with Sales and Marketing: positioning, packaging, competitive differentiation.
· Maintain a single prioritized backlog that balances compliance deadlines, product enhancements, and technical debt.
· Manage the engineering team (or the engineering management layer): set expectations, conduct reviews, develop talent, and make personnel decisions when needed.
· Institute and enforce deployment discipline: no infrastructure change (AMI, launch template, configuration) ships without documentation, review, and rollback plan. No partial rollbacks. No “it shipped but QA didn’t test it.”
· Own incident management and post-mortem quality: root cause analysis must be evidence-based and verified before it becomes the official narrative.
· Ensure cross-service compatibility is tested before deployment.
· Establish change management for infrastructure changes: AMI updates and configuration changes must be tracked, reviewed, and reversible.
· Own the QA strategy: what gets tested, how, and what must pass before production deployment. Ensure QA covers not just functional correctness but cross-service integration, backward compatibility, and deployment safety.
· You don’t need to write code daily, but you need to read code, logs, and challenge technical conclusions. When the team presents a root cause, you should be able to assess whether the evidence supports it.
· Make or approve architectural decisions that affect product quality and customer trust: message broker strategy, serialization compatibility, encryption approaches, multi-region deployment patterns.
· Evaluate build vs. buy decisions with both product and engineering lenses: managed services vs. self-hosted, and third-party integrations.
· Ensure the team maintains operational awareness: if an AWS metadata service version changes behavior, if a new AMI enforces different security defaults, if a dependency upgrade changes wire format — the team detects and handles these proactively, not reactively after a customer incident.
· Understand that our customers operate under audit obligations: FDA, FDIC, FedRAMP, SOC 2. An incorrect RCA or an untracked production change is not just an engineering miss — it is a compliance and trust risk.
· Own the FedRAMP Moderate authorization effort from the product side: control mapping, scope definition, evidence requirements, and timeline management.
· Ensure platform changes support SOC 2 Type II evidence requirements: access reviews, change management records, incident documentation.
· 10 years in software product and/or engineering leadership, with at least 3 years managing engineering teams directly (hiring, performance, architecture decisions).
· Product management ownership: has owned a B2B SaaS or enterprise product roadmap, shipped features to paying customers, and communicated product direction to executives and customers.
· Engineering management experience: has managed engineers, set engineering process (CI/CD, deployment gates, code review, incident response), and been accountable for production quality.
· Technical depth: can read Java/Spring code, understand distributed system interactions, evaluate root cause analyses, and spot when a technical explanation doesn’t hold up. You’ve been an engineer, an engineering manager, or a deeply technical PM who can hold their own in an architecture review.
· Regulated industry experience: has worked in or sold to federal, financial, healthcare, or similarly regulated environments. Understands that compliance is not a checkbox — it shapes product and engineering decisions.
· Incident management rigor: has owned or significantly improved post-mortem/RCA processes. Can distinguish between “we found something that might explain it” and “we have evidence that this was the cause.”
· Strong written and verbal communication: can write a customer RCA, a board update, a product spec, and a deployment runbook.
· FedRAMP, FISMA, or NIST 800-53 experience — has been through an authorization cycle or has owned product/engineering scope for one.
· Experience with test automation, QA tooling, or DevOps platforms — understands the market we compete in.
· AWS operational experience — EC2, RDS, AMI management, IAM, VPC, security groups. Not as a cloud architect, but enough to ask the right questions about infrastructure changes.
· Experience managing distributed/microservice architectures — service-to-service communication, serialization compatibility, configuration management, message brokers.
· SOC 2 Type II experience — has maintained or contributed to evidence packages, access reviews, and change management documentation.
· Cannot read or evaluate technical work (code, logs, architecture diagrams). This is not a “delegate everything to engineering” role.
· No experience managing people. We need someone who has hired, developed, and when necessary, replaced engineers.
· No experience in regulated or compliance-sensitive environments. Consumer-only or growth-only PM backgrounds will not work here.
· Cannot write clearly. Customer RCAs, board decks, and product specs are part of this job.
First 90 days: - Completed assessment of current engineering process gaps: deployment, change management, incident response, QA coverage, cross-service testing. - Established or improved deployment gates and change management for infrastructure changes. - Reviewed and corrected (if needed) any outstanding customer-facing incident documentation. - Built relationships with every customer-facing team member and key customers.
First 6 months: - Engineering is shipping with documented change management, verified RCAs, and cross-service integration testing as standard practice. - FedRAMP Moderate roadmap is scoped, sequenced, and in execution with clear milestones. - Performance testing and security testing product positioning is defined and aligned with Sales. - Team morale and clarity have improved — engineers know what’s expected and have the support to meet it.
First year: - Zero customer incidents caused by untracked infrastructure changes or untested cross-service incompatibilities. - FedRAMP Moderate authorization is on track or achieved. - At least one new product line (performance or security testing) is generating pipeline or revenue. - The engineering team is stronger: better process, better talent, better accountability, better outcomes.
Competitive base equity, commensurate with experience. This is a leadership role with direct impact on company trajectory.
Subject7 is an equal opportunity employer. We welcome applications from all qualified candidates.