Used Tools & Technologies
Not specified
Required Skills & Competences
Tag name is followed by "@" symbol and proficiency level value.
About proficiency levels:
- 1-2 — basic awareness. Minimal hands-on experience, and a rudimentary understanding of the technology's purpose;
- 3-6 — daily use. Comfortable and regular usage, capable of handling common tasks and challenges related to the technology;
- 7-9 — you are an expert, you can teach others, you know all the pitfalls and tricks;
- 10 — exceptional knowledge, comprehensive understanding, and adeptness in all aspects of the technology, including advanced problem-solving. Think twice before claiming or demanding such level.
Security @ 4
Go @ 4
Python @ 4
GitHub @ 4
GitHub Actions @ 4
CI/CD @ 4
Leadership @ 4
Scoping @ 4
Communication @ 4
JavaScript @ 4
Prioritization @ 4
Rust @ 4
Maven @ 4
AI @ 4
- 1-2 — basic awareness. Minimal hands-on experience, and a rudimentary understanding of the technology's purpose;
- 3-6 — daily use. Comfortable and regular usage, capable of handling common tasks and challenges related to the technology;
- 7-9 — you are an expert, you can teach others, you know all the pitfalls and tricks;
- 10 — exceptional knowledge, comprehensive understanding, and adeptness in all aspects of the technology, including advanced problem-solving. Think twice before claiming or demanding such level.
Details
At SentinelOne we are driven to give the advantage to those who secure our future. Our AI-native platform unifies protection across endpoint, cloud, identity, data, and AI systems to deliver autonomous detection and response. Teams at SentinelOne build, solve problems, and innovate to shape the future of security.
As a Staff Supply Chain & Build-System Security Engineer you will be a trusted advisor to customers when malicious packages or CI/CD compromises occur. You will work on top of the output of our agentic code scanning pipeline, validate supply-chain signals, run reachability analyses, and help harden pipelines that ship customer code into production.
Responsibilities
- Lead Wayfinder Frontier AI Services customer engagements focused on end-to-end software supply chain risk: scope, deliver, and present findings to customer engineering and security leadership.
- Review and triage supply chain findings from the agentic code scanning pipeline: validate true positives, eliminate noise, prioritize by real exploitability in the customer's environment, and ensure findings delivered to customers are actionable.
- Investigate malicious-package incidents: triage suspected compromise, reverse engineer obfuscated install scripts (e.g., bun_environment.js-class), identify blast radius, and produce customer deliverables.
- Build dependency graphs and perform reachability analyses across npm, PyPI, Maven, NuGet, Go modules, and Rust crates; document and prioritize findings.
- Build and review SBOM and AIBOM artifacts.
- Deliver recommendations for hardening customer CI/CD pipelines: GitHub Actions, pinning, OIDC, Trusted Publisher migration, hardened-runner deployment, and runner identity scoping.
- Cover client-side supply chain risk in customer engagements (e.g., Magecart-class compromises, CDN compromise, browser-bundle dependency confusion).
Requirements
- 7+ years in security with a strong concentration in software supply chain, build systems, or product security, plus a credible development background.
- Proven track record translating complex findings into technical and executive-level debriefs; excellent written and verbal communication skills are essential.
- Deep npm internals fluency, publish flow, registry mechanics, Trusted Publisher and OIDC publishing flows; working depth across PyPI, Maven Central, and NuGet.
- Hands-on dependency analysis and reachability-based prioritization across multiple languages and ecosystems.
- Working knowledge of SBOMs, build provenance, and artifact signing, including SLSA, in-toto, and Sigstore, and how to enforce them in real pipelines.
- Experience hardening build environments, GitHub Actions, runner isolation, and locked-down secrets handling.
- Hands-on malicious-package triage and static reverse engineering of obfuscated JavaScript and Python.
- Client-side supply-chain investigation experience (e.g., Magecart-class attacks, CDN compromise, dependency confusion in browser bundles).
- Experience with AI-accelerated development and supply chain scanning methodologies; familiarity with agentic code scanning pipelines and Wayfinder Frontier AI Services is a plus.
Benefits
- Restricted Stock Units (RSUs) and Employee Stock Purchase Plan (ESPP)
- Flexible time off, paid company holidays, and paid sick time
- Gender-neutral parental leave and grandparent leave
- Medical, dental, and vision coverage
- 401(k) retirement plan with company match
- Life and disability insurance, Health and dependent care FSA
- Voluntary benefits (hospital, accident, critical illness), Employee Assistance Program (EAP), ARAG pre-paid legal
- Home office allowance, mobile phone reimbursement
- Wellness coach, wellness/gym reimbursement, fertility coverage, adoption & surrogacy reimbursement
Compensation
This U.S. role has a base pay range that will vary by candidate location. Base salary range: $156,000—$200,000 USD.
SentinelOne participates in the E-Verify Program for all U.S.-based roles and is an Equal Employment Opportunity and Affirmative Action employer.