Sr security engineer, region services

Eligibility

Applicants must be Australian citizens and hold or be eligible to obtain an Australian Government Security Clearance with the ability to successfully complete an Organisational Suitability Assessment. More information regarding security clearances can be found at https://www.agsva.gov.au/.

Key Responsibilities

• Own threat modelling across critical services using structured methodologies such as STRIDE and CAPEC, translating findings into pragmatic mitigation strategies that enable service teams to launch securely.
• Lead resolution of complex security challenges, driving outcomes end‐to‐end from design reviews through penetration testing coordination to remediation tracking.
• Review code, scripts, and detection mechanisms, innovating on resolutions that can be documented and replicated in runbooks.
• Construct security and system runbooks for new problem domains, creating repeatable and scalable frameworks.
• Influence security strategy across related teams and partner organisations, ensuring consistency and raising the collective bar.
• Mentor system engineers and builders, growing their ability to deliver security outcomes independently and guiding teams through risk‐management decisions during high‐pressure situations.
• Communicate security risk and design decisions with clarity to senior leadership and customers, translating technical risk into business‐oriented language.
• Accelerate builder proficiency in Generative AI through targeted education and hands‐on guidance, shaping how teams think about security in an AI‐augmented world.
• Establish and lead the Security Guardians programme—identifying, training, and mentoring security ambassadors embedded within builder teams to scale security reviews and embed security earlier in the development lifecycle.

Day in the Life

Your morning begins with a threat model review for a service nearing its next major release, mapping attack surfaces using STRIDE and crafting mitigation recommendations that balance security rigor with delivery velocity. Mid‐morning you run a Security Guardians session, coaching a cohort of embedded security champions through a real‐world scenario. After lunch a complex security finding lands on your desk— you dive into code, collaborate with the service team, and design a resolution that becomes a pattern documented in a runbook. Later you attend a design review with senior leadership, translating technical risk into business language, and close the day by pairing with a junior engineer on a secure code review. Occasionally you participate in on‐call rotations, bringing your security expertise to bear on incidents that arise out of hours.

Basic Qualifications

• Experience leading and applying threat modelling activities using structured methodologies (e.g., STRIDE, CAPEC), translating findings into pragmatic risk mitigation approaches in code that enable service teams to launch securely.
• Experience owning security risk identification and mitigation outcomes beyond a single team, influencing security strategy across related teams and partner organisations.
• Experience driving application security outcomes end‐to‐end for service teams— from design reviews and security assessments through to measurable, sustained security risk reduction across a portfolio of services.
• Experience facilitating penetration testing engagements across service teams— guiding scoping, coordinating execution, and partnering with teams to interpret findings, prioritise remediation, and deliver security outcomes.
• Experience building mechanisms to identify, track, measure, and report on security program effectiveness— creating predictable process paths and reducing reliance on manual overhead.

Preferred Qualifications

• Experience establishing or leading a Security Guardians (Developer's advocate) program (or equivalent distributed security ownership model) — training security ambassadors within builder teams to scale security reviews, reduce findings, and embed security earlier in the development lifecycle.
• 5+ years of coding or scripting experience (e.g., Java, Python, TypeScript, Rust) with the ability to review code for security deficiencies and guide builder teams on remediation.
• Experience identifying and resolving systemic security deficiencies that bottleneck innovation, driving security debt reduction across a diverse service portfolio through root‐cause analysis rather than tactical workarounds.
• Experience designing and implementing security automation— building paved paths and reusable mechanisms that deliver security outcomes with minimal builder friction and cost.
• Ability to interpret government security frameworks such as the Australian Government Information Security Manual (ISM) or Protective Security Policy Framework (PSPF).

Benefits

• Learning & development – AWS training and certification support, access to internal learning platforms.
• Health, income protection and life cover – Amazon subsidises private health insurance premiums; group salary continuance and life insurance are included at no cost to you.
• Military differential pay launching in Australia – Australian employees taking defence reserve leave may receive up to 52 weeks of military differential pay to help cover the difference in pay while serving.
• Employee Assistance Program – Free, confidential support 24 hours a day, 7 days a week for you and your family (mental health, financial coaching, legal questions, and everyday life events).
• Family‐building benefit – Access to Maven for fertility treatment, adoption support, surrogacy, and parenting coaching.
• Amazon Extras & employee discount – cashback and discounts across hundreds of retail, fitness, travel, and lifestyle partners.

Amazon is an equal opportunity employer and does not discriminate on the basis of protected veteran status, disability, or other legally protected status.