Lead Security Engineer

Lead Security Engineer

Lucrotec LLC — Remote (U.S.) Full-Time

PRIORITY GIVEN TO INDIVIDUALS LIVING IN NORTHERN VA OR NORTHERN NJ

Compensation: $130,000 – $160,000 base (commensurate with experience) + benefits

About Lucrotec & APeX

Lucrotec operates APeX, a B2B payment automation platform that processes supplier payments — Virtual Card, ACH, and check — on behalf of enterprise clients. APeX runs on Windows Server EC2 instances backed by SQL Server in AWS, integrated with major card networks and banking partners across a multi-tenant environment. The security engineer in this role is protecting a regulated payments platform that sits at the intersection of fintech, enterprise AP automation, and card network compliance — meaningful work with real stakes.  Lucrotec is proud to be recognized for its consistent growth and commitment to excellence, earning placement on both the Deloitte Technology Fast 500 and the Inc.5000 list of America''s fastest-growing private companies.

 Position Overview

The Lead Security Engineer owns Lucrotec''s day-to-day security operations and drives project-based improvements to the company''s overall security posture. This is currently a team-of-one role reporting directly to the CTO, with a defined path to Chief Security Officer as the organization scales. The role works closely with the System Administrator and IT Operational Support to secure AWS and Microsoft cloud environments and ensures ongoing compliance with SOC 2 and PCI DSS control requirements.

 This role requires both strategic ownership and hands-on execution. The ideal candidate is a senior practitioner ready to step into a security leadership role — someone who can operate independently today and build a function around themselves over time. Candidates seeking pure execution without ownership, or immediate team leadership without hands-on work, are likely not the right fit.

 Core Responsibilities

Vulnerability & Application Security

• Execute vulnerability scans and remediate findings using Qualys Vulnerability Management (VM), Web Application Security (WAS), and PCI ASV modules
• Review and remediate findings from AWS Inspector and AWS GuardDuty
• Generate and present remediation reports for all scanning activities

Network & Infrastructure Security

• Monitor and maintain firewall rulesets and AWS security group configurations
• Configure, monitor, and remediate Intrusion Detection/Prevention System (IDS/IPS) alerts
• Manage the end-to-end patch management lifecycle: identification, prioritization, testing, and deployment
• Apply and maintain system hardening baselines, including removal of unnecessary services and vulnerability remediation workflows

Identity & Access Management

• Conduct monthly user access reviews
• Maintain cryptographic key and certificate inventory

Configuration Management

• Maintain and update the CMDB, including server inventory, network security control rulesets, and change tracking

Compliance & Audit Support

• Collect and organize evidence in support of SOC 2 and PCI DSS audits and assessments
• Coordinate third-party penetration testing engagements

 Active Project Portfolio

The following initiatives are currently in flight or planned — candidates should expect to engage with these from Day 1:

• AWS GuardDuty configuration enhancement and ongoing monitoring
• Intrusion detection/prevention improvements
• Audit log retention, protection, and formal log review process
• File Integrity Monitoring implementation (Corner Bowl Software)
• MFA enforcement for RDP access
• MDM policy implementation via Microsoft Intune
• Endpoint security improvements including anti-malware and antivirus management

 Qualifications

Education & Experience

• Bachelor''s degree in Computer Science, Information Security, Information Systems, or a related field — or equivalent work experience. Relevant certifications (CISSP, CISM, Security+, or similar) are a recognized substitute for formal education and will be evaluated accordingly.
• 5+ years of hands-on experience in information security, with at least 2 years in a lead or senior individual contributor role
• Experience in a regulated environment (PCI DSS, SOC 2, or similar) strongly preferred
• Fintech, payments, or financial services background a plus

Cloud & Infrastructure Security

• Demonstrated experience securing AWS environments, including hands-on use of GuardDuty, Inspector, Security Hub, CloudTrail, and Security Groups
• Familiarity with Microsoft cloud environments (Azure AD / Entra ID, Intune/MDM, Microsoft 365)
• Experience with network security controls including firewall ruleset management, IDS/IPS configuration, and security group administration
• Understanding of system hardening principles and baseline configuration management (CIS Benchmarks or equivalent)

Vulnerability & Application Security

• Experience with enterprise vulnerability management platforms; specific tool experience helpful but not required — we care more about the process than the product
• Familiarity with web application security concepts (OWASP Top 10) and remediation workflows
• Experience coordinating or supporting third-party penetration testing engagements

Compliance & Audit Support

• Working knowledge of PCI DSS v4.0 requirements, particularly as they relate to network security, access control, vulnerability management, and logging
• Experience supporting SOC 2 audits including evidence collection and control documentation
• Familiarity with log management/SIEM tools, audit log retention requirements, and formal log review processes
• Collect and organize evidence in support of SOC 2 and PCI DSS audits and assessments
• Coordinate third-party penetration testing engagements
• Respond to security questionnaires and due diligence requests from clients and partners

Identity, Access & Endpoint Management

• Experience with identity and access management processes including periodic access reviews and privileged access controls
• Familiarity with certificate and cryptographic key lifecycle management
• Hands-on experience with endpoint security tools including anti-malware/antivirus platforms and MDM solutions; Microsoft Intune experience helpful but not required
• Experience implementing or managing MFA across remote access technologies (RDP, VPN)

AI & Productivity Tools

• Demonstrated comfort using AI tools in day-to-day work, including large language model assistants (e.g., Claude, ChatGPT) and AI-assisted coding/productivity tools (e.g., GitHub Copilot, Microsoft Copilot)
• Ability to apply AI tools practically to security workflows — including documentation drafting, log analysis, scripting assistance, and research — while exercising appropriate judgment about what AI output to trust and verify

Soft Skills & Work Style

• Ability to work independently and manage multiple concurrent initiatives with minimal oversight
• Strong written communication skills — able to produce audit-ready documentation, remediation reports, and executive summaries
• Collaborative working style with the ability to partner effectively with IT/System Administration
• Comfortable operating in a small team environment where the role requires both strategic thinking and hands-on execution
• Growth mindset with a genuine interest in building and leading a security function — this role has a defined path to Chief Security Officer as Lucrotec scales

 Lucrotec is an equal opportunity employer.