Platform Security Engineer

Position Summary

Teal Drones is seeking an experienced Platform Security Engineer to own and mature our end-to-end software security posture across embedded Linux drone platforms, CI/CD infrastructure, and government cloud environments.

This role is the primary security authority responsible for threat modeling, vulnerability management, hardened firmware builds, secrets governance, and compliance assessments including Blue List / DoD evaluations.

You will collaborate directly with embedded firmware engineers, DevOps, various customers and platform teams to embed security into every layer of the software development lifecycle.  This role also includes many hands-on engineering duties.

Essential Duties and Responsibilities

Embedded Linux Platform & Firmware Security

• Design, implement and enforce hardening standards for Ubuntu-based embedded Linux firmware running on Qualcomm QRB5165/8550 and similar SoC platforms.
• Own the process and conduct hands-on activities of auditing, patching, and validating OS-level security updates (e.g., Ubuntu ESM, CVE triage) for offline-deployable drone firmware images.
• Identify and eliminate unnecessary services and open from production firmware builds to reduce attack surface during compliance assessments.
• Develop, author and maintain BitBake/Yocto security recipes and patches for Qualcomm BSP layers, ensuring build-time application of security hardening.

Software Build Pipeline Security

• Secure CI/CD pipelines, including build isolation, artifact integrity, and protection against race conditions and cross-job artifact contamination.
• Enforce code signing, reproducible builds, and chain-of-custody controls for firmware artifacts distributed via internal Apache/S3 infrastructure.
• Implement and audit role-based access controls across SCM and build systems.
• Define and enforce branch protection policies, merge request security gates, and automated SAST/SCA scanning in CI pipelines.

Secrets Management & Cryptography

• Lead, design and implement a secrets management strategy across build servers, embedded devices, and cloud infrastructure (e.g., HashiCorp Vault, AWS Secrets Manager).
• Govern cryptographic key lifecycle: RSA key generation, rotation, storage, and revocation for firmware signing, device authentication, and secure comms.
• Eliminate hardcoded credentials and insecure secret injection patterns across build scripts, Dockerfiles, and configuration files.
• Implement challenge-response and hardware-rooted authentication mechanisms for embedded device access control.

Government Cloud & Compliance Security

• Guide and build architecture and security controls for GovCloud (AWS GovCloud, Azure Government) deployments, ensuring alignment with FedRAMP, NIST SP 800-171, CMMC, and DoD IL requirements.
• Hands-on respond to Nessus/vulnerability scanner findings (e.g., open port documentation, service inventory) from internal security assessments and Blue List evaluations.
• Maintain security documentation including system security plans (SSPs), POA&Ms, and network/service inventories for auditable compliance records.
• Coordinate with assessors and program security officers during formal security reviews of drone systems and supporting infrastructure.

Network & Device Security

• Conduct and review network security assessments of drone fleet infrastructure, including nmap/Nessus scanning, open port auditing, and firewall rule management.
• Establish secure remote access patterns for embedded devices (ADB, SSH hardening, udev-based controls) and enforce least-privilege access models.
• Oversee radio frequency and communications security for drone platforms, including secure licensing and MAC-based authentication workflows for radio hardware.
• Monitor and respond to security events across fleet management infrastructure using Prometheus/Grafana or similar alerting pipelines.

Security Program Leadership

• Define and maintain the organization’s platform security roadmap, policies, and standards across hardware, firmware, software, and cloud layers.
• Champion a security-first engineering culture through training, threat modeling workshops, and design reviews.
• Manage third-party security vendors, penetration testers, and compliance consultants.
• Track and report on security KPIs and vulnerability SLA compliance to engineering leadership.

Required Qualifications

• Bachelor's or master's degree in computer science, Computer Engineering, or a related field.
• 5 years hands-on experience in application security engineering, product security, or a closely related security engineering role.
• Deep experience with embedded Linux systems (Yocto/BitBake, systemd, OverlayFS, device bring-up).
• Strong proficiency in Linux OS hardening: service minimization, Ubuntu security patching (ESM), CVE management, and secure boot.
• Experience securing CI/CD pipelines (Jenkins, GitLab CI) including artifact signing, secret scanning, and build isolation.
• Proficiency with container technologies, primarily Docker.
• Solid understanding of cryptography fundamentals: RSA, TLS, symmetric encryption, PKI, key management best practices.
• Familiarity with government cloud security frameworks: FedRAMP, NIST 800-171, CMMC Level 2/3, or DoD IL2/IL4.
• Experience with vulnerability management tooling: Nessus, OpenVAS, nmap, or equivalent.
• Strong proficiency in scripting (Bash, Python) for security automation and tooling.
• Strong written communication skills for producing compliance documentation and security assessments.
• Proficiency with secrets management platforms (HashiCorp Vault, AWS Secrets Manager, SOPS).

Additional Desired Qualifications

• Active DoD security clearance or eligibility preferred.
• Background in drone, robotics, or aviation ssystems security.edge of radio communications security and RF licensing compliance.
• Relevant certifications: CISSP, OSCP, CSSLP, GREM, or equivalent.
• Experience with Qualcomm SoC platforms (QRB5165 or similar) and Android Debug Bridge (ADB) workflows.

Physical Requirements and Working Conditions

• Must be able to walk, stand, and navigate large indoor and outdoor facilities for extended periods of time.
• Ability to lift, carry, and move materials and equipment weighing up to 25 lbs on a regular basis.
• Use of personal protective equipment (PPE) may be required in designated areas or when performing specific tasks, in accordance with safety protocols and company policy.
• May be required to climb ladders, stoop, kneel, or crouch during inspections, maintenance walk-throughs, or emergency response situations.
• Regular exposure to facility operations including noise, dust, temperature fluctuations, and industrial equipment.
• Occasional off-hours or weekend work required for emergency facility responses or projects as needed
• Requires frequent use of a computer and other standard office equipment for documentation, communication, and coordination tasks.

Background Check

This position will require successfully completing a post-offer background check. Qualified candidates with a criminal history will be considered and are not automatically disqualified, consistent with federal and state law.

EEO and ITAR/EAR Work Authorization Disclosure

Red Cat Holdings provides equal employment opportunities (EEO) to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This position requires direct or indirect access to hardware, software, technology or technical data controlled under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). Successful candidates for positions subject to ITAR/EAR restrictions must provide proof of U.S. Citizenship or Permanent Residence and must not require sponsorship for export-restricted work authorization.

E-Verify

The company participates E-Verify ensure eligibility for employment and compliance with Right to Work rules.

Compensation: Salary plus generous annual equity package and potential bonuses.