Staff Security Engineer
About Auror
At Auror, we’re empowering the retail industry to tackle theft and Organised Retail Crime, a $150 Billion problem globally. It’s high volume crime that’s increasingly organised in nature and is putting people, retailers, and communities at risk every day.
Founded in New Zealand 12 years ago, we’re working with some of the best and largest retailers in the world across the US, Canada, Australia, New Zealand, and the UK. Auror is connecting people and intelligence to reduce crime. We’re using technology for good.
Our mission is clear: reduce violent retail crime by 50% in 5 years. It's an ambitious goal - and one we believe is achievable. In partnership with our leading retail partners, we need people with the passion, determination, and innovation required to overcome one of the world's largest problems. If you’re looking to make a difference with and for the people dedicated to stopping crime, for good, then we want you on our team.
We're also embracing the potential of AI to supercharge our impact - whether that's enhancing the way we detect trends, support our customers, or improve internal workflows. As a company, we're committed to responsibly incorporating AI into how we work and what we build, and we encourage all Aurors to be curious about how AI can elevate their work, regardless of role or function.
The Role
We're hiring a Staff Security Engineer to join the Product & Engineering Security pillar at Auror. This is an engineer-first role, scoped for someone who lives in the codebase, ships patches, deploys changes, and raises the security bar of the platform from the inside — not from the sidelines.
The shape of this role has shifted from where Security engineering at Auror started. The bar for impact has moved. We don't need a security specialist who points at risks and writes recommendations for someone else to take action. We need a Staff-level engineer who picks up the ticket, writes the fix, opens the PR, ships the change, and stays close enough to the platform to know what just happened in production. Threat actors are increasingly AI-capable, our platform is increasingly AI-augmented, and our customers' expectations of how fast we can detect, fix, and prove security have stepped up. The response is engineering muscle — applied to security.
At the IC4 (Staff) level, you'll set technical direction for security controls, tooling, and architecture across multiple systems. You'll design security patterns and guardrails that enable safe, repeatable delivery; lead the toughest investigations and architecture reviews; and raise the bar through code, design, and coaching. You'll be a credible engineering voice in cross-functional decisions and a force-multiplier for the engineers around you.
Location:
Auror's headquarters are in Auckland, and we follow a hybrid way of working. However, we're open to hiring someone remotely for this role, provided they are based in New Zealand. While remote work is supported, we place a high value on spending time together in person. Our remote team members typically travel to Auckland approximately every six weeks to join their team and the wider company for collaboration, planning, and social events.
Responsibilities
Ship Code in the Platform: This is the headline. You'll work directly in the Auror codebase — writing patches, fixing vulnerabilities, refactoring weak patterns, and deploying changes in partnership with the product engineering teams. You should be comfortable opening PRs against unfamiliar services, reading through to root cause, and shipping a fix that the owning team would have signed off on themselves.
Build Security Tooling and Automation: Write the tools, automation, and detections that scale the security team's impact. Replace manual evidence collection patterns with code. Build the guardrails that make secure defaults the easy path for the engineers around you.
Application Security and Vulnerability Remediation: Lead threat modelling and architecture reviews for major platform changes. Drive the in-flight Wiz SAST/Code findings closure programme — your work, not someone else's. Push toward engineer-raised PRs using security-provided resolutions, and shoulder the fixes yourself when that's the faster path to closure.
Platform and Infrastructure Security: Partner with SRE and Platform on cloud and infrastructure security — GCP, GitHub Actions hardening, CI/CD security, identity and secrets management, hash-pinning, supply chain controls. Write Terraform, build pipelines, contribute to platform-as-code where the leverage is highest. You should be as comfortable in a deployment YAML as in a vulnerability report.
AI Security and AI-Augmented Engineering: Help define and harden how Auror builds with and defends against AI. Apply security thinking to LLM-integrated features — prompt injection, data leakage, model supply chain, agentic tool use. Use AI engineering tooling (Claude Code and similar) natively to ship security work faster, and help mature the patterns that let the rest of Engineering do the same safely. Stay close enough to the Mythos-class threat landscape to translate it into concrete engineering work — but always as an engineer, not a researcher.
Detection and Response: Partner with the Blue Team workstream to design and tune detections. Write detection-as-code, build playbooks, operate SIEM and CloudSIEM tooling. Lead the technical side of incident response and contribute to post-incident learning.
Customer Security and Assurance: Be the credible technical voice when enterprise customers need depth — architecture questions, technical risk conversations, evidence beyond what the audit pack covers. The Compliance team handles questionnaires; you show up when the conversation gets technical.
Standards, Patterns, and Coaching: Set technical direction for security controls, tooling, and architecture. Publish patterns and guardrails — authentication, secrets, logging, secure-by-default templates — and drive adoption. Coach engineers (inside and outside Security) on secure design and judgement. Raise the bar through code review, design review, and documentation.
This role reports to Scotland Symons, Senior Director of Information Security
Scotland has been working in the Technology & Security industry for the last twenty years and has worked for Microsoft, Apple, Amazon, and a few more. Coming to Auror from the US, she runs the security team at Auror focusing on all of our efforts to secure the platform, code and efforts to protect Auror and its customers. In her own words below:
“Security for me is about critical thinking and flexibility, Security is also not linear and requires lots of exploration and through good iteration driving towards the goal of good architecture. I try to weigh the needs of immediate action with long term Security & Engineering efforts while weighing the need of keeping the business going. The role of Information Security can sometimes be stressful especially in times where there is an incident and so I try to approach things with deep honesty as well as levity. I always keep failure in mind but don’t look at it as a dead end but rather an opportunity to learn how to get up and keep going.”
Requirements
A track record of writing production code and shipping changes that landed in real systems used by real users
Comfort working in unfamiliar codebases — reading through to root cause, opening PRs, and partnering with owning teams to get changes merged and deployed
Hands-on experience with cloud platforms (GCP preferred, Azure or AWS welcome), CI/CD pipelines, and infrastructure-as-code (Terraform or similar)
Deep technical understanding of multiple classes of security defects and how to design them out, not just catch them
Strong application security background — threat modelling, architecture review, SAST and DAST, secure SDLC — with the engineering chops to act on what you find
Working knowledge of AI and LLM security concerns — prompt injection, data exposure, model and tool-use supply chain — and a pragmatic view on how to build with AI safely
Comfort and fluency using AI engineering tooling (Claude Code/Gemini or similar) to ship work faster, with judgement about where to apply it and where not to
Experience with SIEM tooling — writing queries, building detections, running log analysis
Comfort partnering with SRE and Platform on production systems and shipping changes alongside them
Strong communication skills — explains the "why" behind security decisions in language engineers respect
Curiosity, low ego, and the ability to lead work independently in ambiguous territory
Models thoughtful, calm decision-making under pressure, especially in incidents
We are looking for people who demonstrate a strong alignment to our Guiding Principles (you can find these on our Careers page).
With diversity and inclusion at the forefront of Auror’s guiding principles, we promote a culture that celebrates diversity and inclusiveness at Auror, regardless of, but not limited to, race, gender, sexual orientation, family status, religion, ethnicity, national origin, physical disability, veteran status, or age.
Benefits:
Competitive salary range: The hiring salary range for this role is $150,000-$170,000, depending on level of experience (this role has been scoped as IC4 level).
Annual bonus: Eligibility for a NZD $5,500 bonus at the end of the financial year if we’ve hit our revenue goals together.
Employee share scheme: You’ll own part of a company making a real difference!
Flexibility: We are hard-working and outcome focused, but recognise there is more to life than work. We promote a healthy work/life blend.
Shorter work weeks (at full pay): Everyone gets Friday afternoons off, so you can start your weekend early, and do more of whatever it is that makes you happy.
Health insurance: We prioritise looking after your health by covering 100% of your individual health insurance plan with nib.
Focus on mental and physical health: We understand how vital our health is and have policies to support your wellness, including Wellness Days, and up to $750 for expert sessions every year.
Family-friendly: We offer comprehensive paid parental leave - 12 weeks for birth parents and 6 weeks for non-birth parents following birth, adoption, or surrogacy, available to all Aurors from day one.
Personal growth: We support our team to participate in courses, conferences, or events that will help them develop their skills.
Team love: We have regular team lunches and social events where most (if not all) activities are during work hours.
What are the next steps?
If you’re excited about our mission and you have the experience and a passion for this role, please hit “Apply”.
If you’re not sure that you tick all the boxes but feel you’re close to what we’re looking for, please apply anyway! We’re proud that Auror is a place where everyone can learn and grow so we’d love to hear from you.
You'll be asked to submit a cover letter as part of your application. While this is optional we do encourage it, as we find cover letters can tell a story that resumes alone often cannot. Our hiring team love to understand what attracted you to this role and why you are excited about the opportunity to join Auror.
Once you apply, you’ll hear from us to acknowledge your application. If you have questions about any of the above, or if you have any accessibility requirements, we’ll be able to help you from there.