Bestkaam Logo
Back to Jobs
avertra

Security Engineer

Actively Reviewing

avertra

4–8 yrs exp Posted 2 days ago  · Apply by Sep 14, 2026
Avertra's mission is to Simplify Life — automating complex decision-making for customer-centric industries including Utilities, Financial Services, Logistics, and Commerce, while directly improving the employee and customer experience.

What We Promise You:
  • A global family building a sustainable, scalable ecosystem guided by logic and empathy.
  • A clearly-scoped, high-impact mandate, ship real controls, not just reports.
  • Genuine investment in your growth and mastery of your domain.
The Security Engineer is responsible for building the runtime, detection, and application-security layers that carry Avertra into SOC 2 and PCI DSS 4.0 compliance, partnering with the in-house DevOps team on Avertra’s Azure / AKS platform (TypeScript / React / Node application landscape, including billing and guest-payment flows in PCI scope).

The role owns security design, detections and rules, application-security testing, the vulnerability management program, vendor remediation, and control evidence. DevOps owns the CI/CD pipeline, AKS, and infrastructure execution; a fractional vCISO and GRC platform own the audit itself, this role supplies and maintains the evidence for the controls it builds.


Main Job Responsibilities
  • Application Security Testing
    • Introduces and tunes DAST against running applications; triages findings and drives fixes.
    • Deploys and owns a semantic SAST engine tuned for TypeScript / React / Node; owns the rules, triage, and merge-block policy.
  • Detection Engineering & Response
    • Builds the detection layer on the SIEM: correlation rules, alerts, and incident playbooks.
    • Defines and tunes runtime workload detection in AKS and file-integrity monitoring.
    • Owns what is detected and how the organization responds, while DevOps stands up SIEM infrastructure, log shipping, and agent deployment.
  • Edge & Network Controls
    • Owns the WAF ruleset: tunes the OWASP ruleset, defines exceptions, and confirms Prevention mode and that logs reach the SIEM.
  • Vulnerability Management as a Program
    • Stands up a vulnerability aggregator: dedups across scanners, assigns owner and risk-based SLA per finding, drives ticketing, and surfaces SLA breaches on a dashboard.
    • Defines secret-scanning policy (pre-commit and history sweep) and unifies the release gate across all scanners.
  • Assurance & Evidence
    • Manages the ASV scan and annual penetration-test vendors; triages results and drives remediation.
    • Produces and maintains evidence for owned controls, alongside the vCISO and GRC platform, to support SOC 2 Type II and PCI DSS 4.0 assessments (supports, but does not run, the audit).





Requirements

Needed Competencies
  • Technical expertise integrating and tuning security scanners in CI/CD pipelines (Azure DevOps ideal): SAST, DAST, SCA, secrets, IaC.
  • Technical expertise in DAST (OWASP ZAP or equivalent) and semantic SAST engines (Semgrep / CodeQL) on TypeScript / React / Node codebases.
  • Technical expertise in SIEM detection engineering (Microsoft Sentinel and/or Wazuh / Elastic): writing detections, correlation, alert tuning, and playbooks.
  • Technical expertise in Kubernetes / AKS security and runtime detection (Falco / Defender for Containers), network policies, and Pod Security Standards.
  • Technical expertise in vulnerability management: aggregation / dedup, risk-based SLAs, and triage (DefectDojo or equivalent).
  • Technical expertise in Azure security fundamentals: Defender for Cloud, Entra ID / RBAC, Key Vault, and edge WAF (OWASP ruleset).
  • Solid grounding in OWASP Top 10, TLS / PKI, authentication protocols, and API security.
  • Strong decision-making capabilities to weigh the relative costs and benefits of controls and prioritize risk-based remediation.
  • Ability to produce clean, audit-ready evidence for SOC 2 and/or PCI DSS control requirements (supporting, not running, the audit).
  • Builder’s mindset: OSS-first, iterating toward managed services.
  • Clear communicator: able to translate risk for engineers and executives, with strong written English and documentation.
  • Collaborative: drives secure-by-default practices through the DevOps and engineering teams rather than owning infrastructure directly.

Education
  • Bachelor’s on Computer Science, Information Technology, or a related field is recommended as a reasonable default, to be confirmed.

Experience
  • 4–7 years in security engineering, DevSecOps, or application security, with hands-on experience building and tuning security controls. Comfortable partnering with DevOps / platform teams rather than owning infrastructure directly.

Knowledge, Skills and Abilities
  • Excellent written and spoken English; able to translate risk clearly for both engineers and executives.
  • Experience preparing an organization for a first SOC 2 Type II or PCI DSS assessment (nice-to-have).
  • Familiarity with GRC / continuous-compliance platforms (Vanta, Drata); policy-as-code (OPA / Conftest); threat modeling (nice-to-have).
  • Preference for OSS-first security tooling with a managed Azure-native upgrade path.
  • Effective listening and multi-tasking capabilities across concurrent security workstreams.

Preferences
  • Certified Kubernetes Security Specialist (CKS)
  • Microsoft SC-200
  • Microsoft AZ-500
  • OSCP
  • CEH
  • PCI ISA / PCIP
  • CISSP / CISM

Travel
  • Up to 15%

Work Schedule
  • Monday–Friday, 10:00 AM – 7:00 PM (or as agreed). Hybrid work model, demand-based.