Security Engineer
ABOUT YOU
Xsolla seeks a security engineer to join a new security team during a critical build-out phase. You work across application security and infrastructure security - reviewing code, hardening cloud environments, supporting incident response, and partnering with engineering teams to improve security posture across the company.
This is a generalist role well-suited to an early-team hire. You are comfortable working across domains rather than specializing in one, and you grow into deeper expertise as the team and program mature. You collaborate closely with the security program manager and work directly with engineering teams on secure design, findings, and remediation.
Our tech stack includes GCP, vSphere/ESX, Kubernetes and container workloads, MariaDB, CockroachDB, Go, PHP, and Python. You do not need expertise in all of these, but you are comfortable navigating a mixed environment and learning what you need.
As always true in job descriptions, there is an intangible value that is hard to capture. We look for a diverse set of perspectives and skills. Even if you don't match every requirement, we encourage you to apply if you think you can be highly successful in this role.
ABOUT US
Xsolla is a global commerce company with robust tools and services to help developers solve the inherent challenges of the video game industry. From indie to AAA, companies partner with Xsolla to help them fund, distribute, market, and monetize their games. Grounded in the belief in the future of video games, Xsolla is resolute in the mission to bring opportunities together, and continually make new resources available to creators. Headquartered and incorporated in Los Angeles, California, Xsolla operates as the merchant of record and has helped over 1,500+ game developers to reach more players and grow their businesses around the world. With more paths to profits and ways to win, developers have all the things needed to enjoy the game.
For more information, visit xsolla.com.
Responsibilities
Perform Application Security Reviews - Conduct code reviews, run SAST/DAST and dependency scanning tools, and work with engineering to resolve findings.
Participate in Threat Modeling - Contribute to threat modeling sessions for new features and architecture changes, helping identify risks early in the design process.
Help Harden Cloud and Container Infrastructure - Work on GCP, Kubernetes, and IAM configurations to strengthen the security of our cloud and container environments.
Participate in Pen Test Remediation - Help triage penetration test findings and work with engineering teams to implement fixes, coordinating closely with the security program manager.
Partner with Engineering on Secure Design - Review architectures, advise on secure implementation patterns, and help teams make informed security decisions.
Identify and Track Security Findings - Document findings, assess severity, and track them through the remediation lifecycle to resolution.
Support Incident Response - Help investigate and document security events, contribute to root-cause analysis, and support containment efforts.
Write Async Security Guidance - Produce advisories, best-practice documentation, and practical guidance that helps engineering teams build securely across time zones.
Support Product Security - Work with partners on the security posture of customer-facing services, contributing to reviews and assessments as needed.
What You Bring
Foundational AppSec Knowledge - Understands common vulnerability classes, secure coding patterns, and how to conduct a meaningful code review.
Cloud Environment Exposure - Has worked with GCP or a similar cloud provider and is comfortable with IAM, networking, and container concepts.
Code Literacy - Reads and reviews code in one or more of: Go, Python, PHP. Does not need to be a software engineer, but can follow logic and spot issues.
Security Tooling Familiarity - Has used or is familiar with SAST, DAST, or dependency scanning tools and understands how they fit into a development workflow.
Strong Written Communication - Writes clear, concise async documentation - findings, advisories, guidance - that works across time zones and audiences.
Collaborative Mindset - Partners effectively with engineering teams. Focuses on helping teams build securely rather than just identifying problems.
Self-Directed with Growth Mindset - Eager to learn, comfortable with ambiguity, and able to make progress with minimal direction in a new and evolving team.
Nice to Have
Threat modeling experience;
Hands-on Kubernetes or container security experience;
Infrastructure security background - Linux, networking, vSphere/ESX;
Familiarity with NIST CSF, PCI, SOC 2, or ISO 27001 from a technical perspective;
Detection engineering or incident response experience;
Experience building security automation or internal tooling;
Relevant certifications (OSCP, GWAPT, CKS, or similar hands-on certs).
Xsolla operates across multiple time zones. Strong written communication is essential - you will need to document your work clearly so findings and context are not lost across handoffs. We value directness, intellectual honesty, and follow-through. If you do not know something, say so and find out. If you find something, explain it clearly and see it through to resolution.