GRC and Application Security Engineer

About us

Oligo is a fast-growing cybersecurity startup transforming how organizations protect their applications, cloud environments, and AI systems at runtime. Backed by top-tier investors including Greenfield Partners, Red Dot Capital Partners, Lightspeed, Ballistic Ventures, and TLV Partners, we’re on a mission to make real-time security a reality.

Oligo’s industry’s leading runtime security platform built to stop attacks in real time without stopping the business. We transform security from passive visibility to active protection across applications, cloud services, workloads, and AI systems. By uncovering the deepest layers of what actually runs in production, Oligo helps organizations prioritize exploitable vulnerabilities, detect malicious behavior as it happens, and stop modern attacks in their tracks.

We are looking for a Security GRC & AppSec Engineer who can operate cross domains. From writing security policies and managing compliance frameworks to reviewing code, running vulnerability scans, and hardening our applications. This is a hands-on role with high-impact across the company.

You will split your time between compliance/governance work and technical application security, with the balance shifting based on business priorities (e.g., heavier on GRC during audit season, heavier on AppSec during major releases).

Key Responsibilities

Governance, Risk & Compliance (GRC)

Own and manage our FedRAMP authorization process end-to-end: SSP documentation, POA&M tracking, continuous monitoring (ConMon), and 3PAO coordination
Maintain and mature compliance programs across SOC 2 Type II, ISO 27001, and other frameworks relevant to our customer base
Conduct internal risk assessments, gap analyses, and control testing
Develop and maintain security policies, standards, and procedures aligned with NIST 800-53 controls
Respond to customer security questionnaires and support sales enablement with security documentation

Application Security & Vulnerability Management

Build and run our AppSec program: threat modeling, secure code reviews, SAST/DAST integration into CI/CD pipelines
Manage vulnerability scanning tools and drive remediation with engineering teams
Triage and prioritize vulnerabilities based on exploitability, business impact, and exposure
Champion secure SDLC practices across the engineering organization, including developer training and security champions programs
Perform or coordinate periodic penetration testing and manage findings through resolution
Monitor and respond to emerging threats, CVEs, and zero-day vulnerabilities affecting our stack

Requirements:

Qualifications

3–5 years of hands-on experience in cybersecurity, with meaningful exposure to both GRC and technical security work
Solid understanding of compliance frameworks: NIST 800-53, SOC 2, ISO 27001
Hands-on experience with application security tools and methodologies (SAST, DAST, SCA, threat modeling)
Experience managing vulnerability scanning and remediation workflows
Familiarity with cloud environments (AWS, Azure, or GCP) and their native security controls
Strong understanding of OWASP Top 10 and common web application vulnerabilities
Excellent written English - you will be writing policies, SSPs, and customer-facing security documentation
Strong cross-team communication skills
Ability to learn independently and adapt quickly in a fast-paced environment

We'll be lucky if you have

Direct experience with FedRAMP authorization (Moderate or High baseline)
Relevant certifications: CISA , CISSP or AWS Security Specialty
Experience with GRC platforms
Familiarity with DevSecOps practices and infrastructure-as-code security