Senior Security Engineer

Description & Requirements

WHAT MAKES US A GREAT PLACE TO WORK

We are proud to be consistently recognized as one of the world's best places to work. We are currently the top ranked consulting firm on Glassdoor's Best Places to Work list and have earned the #1 overall spot a record seven times.

Extraordinary teams are at the heart of our business strategy, but these don't happen by chance. They require intentional focus on bringing together a broad set of backgrounds, cultures, experiences, perspectives, and skills in a supportive and inclusive work environment. We hire people with exceptional talent and create an environment in which every individual can thrive professionally and personally.

WHO YOU'LL WORK WITH

As the premier consulting partner for the private equity industry, Bain's PEG boasts a global practice that is over three times larger than any competitor. Our network of over 1,000 professionals supports private equity and institutional investor clients through every stage of the investment life cycle, from deal generation and due diligence to portfolio value creation and exit planning.

Bain & Company is developing a suite of cutting-edge data and software solutions designed to revolutionize how the private equity industry uses data for investment insights and decision-making.

The PEG Innovation team's mission is to create analytical solutions for Bain clients, teams, and the broader institutional investor space using proprietary software and data products. This includes the development, commercialization, and daily management of Bain's proprietary datasets, data, and software businesses.

WHERE YOU'LL FIT WITHIN THE TEAM

Senior Security Engineers are responsible for the security posture of the full PE platform estate - from supply chain security and Kubernetes hardening through to data boundary enforcement and AI egress controls. You work across teams as a specialist and trusted partner, embedding security into the development lifecycle rather than bolting it on at the end. For a platform handling sensitive PE deal data for 10,000+ users, security is a first-class engineering concern, not a compliance checkbox. You set and enforce security standards, build controls as code, and partner with Platform Engineering, Data Platform, Product Engineering, and the Agent / AI squad to reduce risk while enabling rapid delivery.

WHAT YOU'LL DO

Platform Security Engineering and Operations (80%)

• Own and operate the platform's security posture end-to-end across core controls: Vault, Istio mTLS, Cilium network policy, Pod Security Standards, and OPA/Gatekeeper policies.
• Design and implement zero-trust security architecture across the estate: defence in depth, least privilege, and explicit security boundary design.
• Conduct lightweight threat modelling (STRIDE) for new services and major features before implementation; document risks, mitigations, and residual risk decisions.
• Manage supply chain security controls: container image scanning (Trivy), image signing (Cosign/Sigstore), SBOM generation (Syft), and dependency vulnerability management (Dependabot/Renovate).
• Define and enforce identity and access controls: SAML/OIDC integration patterns, JWT/OAuth concepts, and practical enterprise IdP integration guidance (Okta/Azure AD).
• Define and maintain data classification controls and enforce them at the platform layer (governed access patterns, masking/tokenisation, and API-layer enforcement where required).
• Own runtime detection controls: operate Falco rules and escalation pathways; integrate relevant signals with the central SIEM and reduce alert noise to maintain usable signal.
• Lead security incident response for the platform; drive containment, remediation, and post-incident security reviews with clear follow-up actions.
• Run regular security reviews of the AI layer: Agent Gateway egress controls, prompt injection risks, PII handling, and data exfiltration controls for model interactions.
• Maintain security runbooks and execute quarterly internal security reviews across teams; ensure controls are tested, auditable, and actively maintained.

Other (20%)

• Embed in squad ceremonies (refinement, planning, design reviews) to catch security concerns early and raise testability/operability requirements for security controls.
• Partner with Platform Engineering on secure-by-default templates and guardrails (policy-as-code libraries, reusable CI checks, pre-commit hooks) to reduce repeated effort across squads.
• Collaborate with the Data Governance Lead on PII classification, tokenisation policy, and regulatory/compliance requirements (SOC 2 Type II, ISO 27001, GDPR).
• Use AI tooling to accelerate threat modelling, security policy drafting, and CVE triage; validate outputs with expert judgement before adoption.
• Communicate security risks in business-impact terms and prioritise controls that materially reduce risk; avoid "security theatre."

ABOUT YOU

• Bachelor's degree in Computer Science, Engineering, Information Systems, Cybersecurity, or a related field (or equivalent practical experience).
• 6+ years of experience in security engineering, infrastructure security, SRE/DevOps with a security focus, or platform engineering roles with hands-on security ownership.
• Demonstrated experience implementing and operating security controls in Kubernetes-based production environments (policy enforcement, workload isolation, network controls, and runtime detection).
• Experience designing and operating secrets management and identity/access controls (Vault, PKI, OIDC/SAML patterns, enterprise IdP integration).
• Experience implementing supply chain security practices (scanning, signing, SBOMs, dependency management) and integrating controls into CI/CD pipelines.
• Experience leading or materially contributing to security incident response, including post-incident review and follow-up remediation planning.
• Demonstrated ability to work cross-functionally as an enabling partner, raising security standards without blocking delivery unnecessarily.

Security engineering/Platform security

• Zero-trust security architecture: defence in depth, least privilege, and explicit boundary design across services, networks, and data layers.
• HashiCorp Vault: secret engine configuration, PKI management, dynamic credential generation, audit log analysis, and policy authoring (HCL).
• Kubernetes security: Pod Security Standards, admission controller design, OPA/Gatekeeper policy authoring (Rego), Kyverno policies, and Cilium network policy concepts.
• Istio security: mTLS in STRICT mode, PeerAuthentication, AuthorizationPolicy, and JWT validation at the mesh layer.
• Supply chain security: image scanning (Trivy), signing (Cosign/Sigstore), SBOM generation (Syft), and dependency vulnerability management (Dependabot/Renovate).
• Identity and access: SAML 2.0, OIDC, JWT, OAuth 2.0, and enterprise IdP integration patterns (Okta/Azure AD).
• Data security: column-level masking, row-level security, PII tokenisation/de-identification, classification frameworks, and DLP tooling familiarity (e.g., AWS Macie).
• Runtime security: Falco rule authoring, syscall-level anomaly detection concepts, and SIEM integration.
• Scripting/automation: Python and Bash for security tooling, policy-as-code, and automated remediation.
• Compliance awareness: familiarity with SOC 2 Type II, ISO 27001, and GDPR requirements relevant to PE environments.

Generative AI and agentic systems

• Designs and enforces security controls specific to AI workloads: LLM egress policy, prompt injection mitigation, PII scrubbing before external model calls, and Agent Gateway threat modelling.
• Uses AI tooling to accelerate threat modelling (STRIDE analysis generation), security policy drafting, and CVE triage; validates outputs before adoption.
• Integrates AI-assisted security scanning into CI/CD pipelines: automated secret detection, dependency risk scoring, and LLM-assisted static analysis review.
• Understands the security risks of agentic systems: prompt injection, tool misuse, data exfiltration via LLM output, and hallucination in security-sensitive contexts.
• Reviews AI-generated infrastructure and policy code for security correctness before it enters the estate.

General

• Embeds early: participates in planning and design reviews to catch security risks before implementation begins.
• Security controls as code: versioned, reviewed, tested, and auditable; prioritises maintainability and low operational overhead.
• Uses AI tooling to move faster, but applies expert judgement before any output influences production decisions.
• Communicates risks in business-impact terms and focuses on controls that materially reduce risk.
• Avoids security theatre; selects pragmatic guardrails that enable delivery while reducing real risk.
• This role follows a hybrid model, requiring in-office presence at least 1 day per week

U.S. COMPENSATION INFORMATION

Compensation for this role includes base salary, annual discretionary performance bonus, 401(k) plan with an annual employer contribution based on years of service and Bain's best in class benefits package (details listed below).

Some local governments in the United States require a good-faith, reasonable salary range be included in job postings for open roles. The estimated annualized compensation for this role is as follows:

In Atlanta, the good-faith, reasonable annualized full-time salary range for this role is between $140,875 - $153,750

In Texas, the good-faith, reasonable annualized full-time salary range for this role is between $147,625 - $161,250

In Chicago, the good-faith, reasonable annualized full-time salary range for this role is between $155,125 - $169,250

Placement within these ranges will vary based on factors such as experience, education, training, and skill level.

Compensation also includes a discretionary annual performance bonus, 401(k) plan with employer contribution, and Bain's best-in-class benefits-including full premium coverage for medical, dental, and vision, generous paid time off, and more.

Annual discretionary performance bonus

This role may also be eligible for other elements of discretionary compensation

4.5% 401(k) company contribution, which increases after 3 years of service and is 100% vested upon start date

Bain & Company's comprehensive benefits and wellness program is designed to help employees achieve personal independence, protection and stability in the areas most important to you and your family.

Bain pays 100% individual employee premiums for medical, dental and vision programs, offering one of the most comprehensive medical plans for employees without impacting your paycheck

Generous paid time off, including parental leave, sick leave and paid holidays

Fully vested 401(k) company contribution

Paid Life and Long-Term Disability insurance

Annual fitness reimbursements