Job Summary: We are looking for a Senior Security Engineer with expertise in operational security, APIs, cloud environments, and real-world incident response—to detect, contain, and learn from production attacks. Key Highlights: 1. Strong expertise in operational security, APIs, and cloud environments 2. Responsible for detection, containment, and learning from production attacks 3. Not focused on compliance/GRC, but on direct incident response **About Us** ----------------- Technology is what drives us and sustains our accelerated growth. From the ground up, every motorcycle leaves our garage equipped with an IoT device, ensuring 24/7 support for delivery riders and generating valuable data for decision-making. Our entire technology ecosystem is developed internally: * Proprietary fleet management, maintenance, and customer support systems; * Delivery app and platform built from scratch; * 100% cloud-native architecture since inception, emphasizing best practices and modern technologies. ### **About the Role** We are seeking a **Senior Security Engineer** with strong expertise in **operational security**, focused on **APIs, cloud environments, and real-world incident response**. This person will be responsible for **detecting, containing, and learning from production attacks**, ensuring security **without compromising business availability**. We are not looking for someone focused exclusively on compliance, GRC, or isolated penetration testing. We seek someone who **acts when incidents occur**, makes decisions under pressure, and improves the system afterward. ### **Responsibilities** * Lead **security incident detection, containment, and response**, especially for **APIs and critical services** * Design and maintain **incident response playbooks**, focusing on mean time to detect (MTTD), mean time to contain (MTTC), and controlled impact * Define and evolve **actionable security alerts**, reducing noise and false positives * Analyze and respond to **volumetric DDoS and logical API attacks**, applying appropriate strategies for each scenario * Create, tune, and validate **WAF rules, rate limiting, and traffic controls**, carefully avoiding impact on legitimate users * Work with **logs and telemetry** (API Gateway, auth, application, infrastructure) for rapid investigation and response * Collaborate with engineering teams to **integrate security into CI/CD**, without becoming a delivery bottleneck * Lead response to **credential, token, and secret leaks**, including rotation, containment, and impact analysis * Coordinate mitigation actions for **critical CVEs in production**, prioritizing real risk and exposure time * Conduct or support **offensive security tests focused on practical learning**, transforming findings into defensive improvements * Support critical decisions during incidents, including **controlled service degradation or shutdown**, aligned with technical leadership and business stakeholders ### **Technical Requirements** * Practical experience with **cloud security** (AWS, GCP, or Azure) * Solid experience with **API security** (auth, rate limiting, abuse, logical exploitation) * Real-world experience in **production incident response** (not just tabletop exercises) * Practical knowledge of: + WAFs and API Gateways + Rate limiting and traffic control + Logs, metrics, and alerts (observability applied to security) + OAuth2, JWT, service tokens, and secret management * Ability to **identify attack signals before they escalate into critical incidents** * Experience collaborating with engineering and product teams ### **Nice-to-Haves (not mandatory)** * Experience as **security on-call** or leading critical incident response * Prior work with **Blue Team, SecOps, or ProdSec** * Experience with **attack simulations (purple team)** * Knowledge of EDR and endpoint security tools * Experience in high-scale or business-critical systems ### **What We Expect From This Profile** * Ability to **make decisions under pressure**, with clear understanding of trade-offs * Focus on **reducing impact**, not just blocking everything * Mindset of **continuous post-incident learning** * Clear communication with engineering, leadership, and stakeholders * Practical mindset: security that **works in production** **What Doesn’t Fit With Us** --------------------------------- ### **1. Resistance to fast pace and pressure** Mottu has a **high-performance culture**, focused on speed, delivery, and results. The environment is intense and changes rapidly. Those lacking **resilience**, or requiring **constant supervision**, tend to struggle. Here, there’s no room for comfort zones or micromanagement. ### **2. Lack of proactivity and aversion to “getting hands dirty”** We value those who **go to the root cause, engage in operations, and solve problems directly**. Waiting for others to take the lead, avoiding operational tasks, or relying on constant supervision doesn’t align with our culture. Those unwilling to get hands-on rarely understand what needs improvement—and won’t grow here. And when we say “getting hands dirty”, it’s literal: **we go to the workshop, work alongside the team, and perform operational tasks**. This hands-on experience delivers insights impossible to gain remotely. ### **3. Low ownership mindset and limited autonomy** We expect an **owner mindset**: courage to decide, take risks, and generate real impact. Those waiting to be “told what to do” or depending on constant validation tend to fall behind. Ownership here isn’t optional—it’s part of the job. And unlike many companies, **we take it seriously**: those who deliver consistently with the right attitude are recognized, given space, and may even become partners. Stock options aren’t an exception—they’re a consequence. ### **4. Lack of openness to feedback and low emotional maturity** We have a culture of **direct transparency**. Feedback is frequent, honest—and not always gentle. It requires **humility and emotional maturity** to face difficult conversations without ego or sensitivity. Those who avoid constructive confrontation or reject well-intentioned criticism may feel out of place. ### **5. Rigid attachment to standard business hours** Mottu remains a startup in **accelerated growth**. Challenges change quickly, and demands don’t always respect the clock. There’s no right or wrong—what matters is **solving the problem**. If you seek stable routines and strict separation between personal life and work, you may become frustrated here. Delivering quality is the priority—and that doesn’t always fit within standard business hours. ### **6. Lack of commitment and frequent job-hopping** We don’t just seek talent—we seek **people who want to build together**. If your first reaction to every challenge or obstacle is to look for the next opportunity, you’ll likely never have time to generate real impact. Mottu is for those with a **long-term vision**, who wear the jersey and are willing to go through full growth cycles, earn their place, and become partners. Those who don’t commit won’t reap the rewards—and here, they’re substantial for those who stay and make things happen. ### ____________________________________________________________________________________________ **If you identify with this pace, this culture, and want to join a team that truly builds impactful technology: come with us.**