GRC and Application Security Engineer

Description About us Oligo is a fast-growing cybersecurity startup transforming how organizations protect their applications, cloud environments, and AI systems at runtime. Backed by top-tier investors including Greenfield Partners, Red Dot Capital Partners, Lightspeed, Ballistic Ventures, and TLV Partners, we’re on a mission to make real-time security a reality. Oligo’s industry’s leading runtime security platform built to stop attacks in real time without stopping the business. We transform security from passive visibility to active protection across applications, cloud services, workloads, and AI systems. By uncovering the deepest layers of what actually runs in production, Oligo helps organizations prioritize exploitable vulnerabilities, detect malicious behavior as it happens, and stop modern attacks in their tracks. We are looking for a Security GRC & AppSec Engineer who can operate cross domains. From writing security policies and managing compliance frameworks to reviewing code, running vulnerability scans, and hardening our applications. This is a hands-on role with high-impact across the company. You will split your time between compliance/governance work and technical application security, with the balance shifting based on business priorities (e.g., heavier on GRC during audit season, heavier on AppSec during major releases). Key Responsibilities Governance, Risk & Compliance (GRC) Own and manage our FedRAMP authorization process end-to-end: SSP documentation, POA&M tracking, continuous monitoring (ConMon), and 3PAO coordination Maintain and mature compliance programs across SOC 2 Type II, ISO 27001, and other frameworks relevant to our customer base Conduct internal risk assessments, gap analyses, and control testing Develop and maintain security policies, standards, and procedures aligned with NIST 800-53 controls Respond to customer security questionnaires and support sales enablement with security documentation Application Security & Vulnerability Management Build and run our AppSec program: threat modeling, secure code reviews, SAST/DAST integration into CI/CD pipelines Manage vulnerability scanning tools and drive remediation with engineering teams Triage and prioritize vulnerabilities based on exploitability, business impact, and exposure Champion secure SDLC practices across the engineering organization, including developer training and security champions programs Perform or coordinate periodic penetration testing and manage findings through resolution Monitor and respond to emerging threats, CVEs, and zero-day vulnerabilities affecting our stack Requirements Qualifications 3–5 years of hands-on experience in cybersecurity, with meaningful exposure to both GRC and technical security work Solid understanding of compliance frameworks: NIST 800-53, SOC 2, ISO 27001 Hands-on experience with application security tools and methodologies (SAST, DAST, SCA, threat modeling) Experience managing vulnerability scanning and remediation workflows Familiarity with cloud environments (AWS, Azure, or GCP) and their native security controls Strong understanding of OWASP Top 10 and common web application vulnerabilities Excellent written English - you will be writing policies, SSPs, and customer-facing security documentation Strong cross-team communication skills Ability to learn independently and adapt quickly in a fast-paced environment We'll be lucky if you have Direct experience with FedRAMP authorization (Moderate or High baseline) Relevant certifications: CISA , CISSP or AWS Security Specialty Experience with GRC platforms Familiarity with DevSecOps practices and infrastructure-as-code security