Product Security Engineer

Role Summary: 

We are looking for a mission-driven Product Security Engineer to embed security into the entire lifecycle of our cutting-edge robotic systems and our command and control system. You will be responsible for hardening our autonomous ground vehicles against cyber threats in complex, contested environments. You will own compliance with our customer's contract requirements for cyber security.

In this role, you will take ownership of the security architecture for our robotic systems, ensuring that every component—from firmware to command interfaces—is designed, implemented, and validated with security at its core. You will architect and develop robust security controls to meet rigorous contractual and regulatory requirements, encompassing intrusion prevention, secure logging, encryption, and system integrity protections. You’ll serve as the key integrator of feedback from customers, industry standards, and regulatory agencies, translating their input into clear, actionable security requirements for software development teams. As a compliance leader, you will map and implement controls aligned with CSEIG v3.0, DISA STIGs, and NIST 800-53/171, preparing the necessary documentation and evidence to support customer ATO and ATC efforts. You’ll define and champion security across the software development lifecycle by implementing policies, security gates, and checklists for design, code review, CI/CD, and release. Each feature will include measurable security acceptance criteria to ensure continuous assurance.

Key Responsibilities

• Lead the design and validation of security controls that ensure system integrity, intrusion prevention, secure logging, and data protection for robotic platforms.

• Collaborate with customers, regulators, and internal teams to define and document security requirements that guide software development and system integration.

• Ensure compliance with CSEIG v3.0, DISA STIGs, and NIST 800‑53/171 by implementing required controls and preparing evidence for certification and authorization (ATO/ATC) activities.

• Drive a secure software development lifecycle (SDLC) by establishing policies, gates, and checklists across design, code review, CI/CD, and release processes.

• Develop secure firmware and update mechanisms, including signed, atomic, and recoverable updates with built‑in health checks, CVE management, and SBOM generation.

• Harden operating systems (Ubuntu and NixOS) through CIS/STIG baselines, AppArmor/SELinux configuration, systemd hardening, and least‑privilege enforcement.

• Strengthen physical security through tamper‑evident designs, interface protection, and side‑channel attack mitigation.

• Implement cryptographic controls including validated crypto modules, FIPS 140‑3 compliance, TPM management, and secure/measured boot processes.

• Build and maintain a secure software supply chain with artifact signing, provenance tracking, vendor risk reviews, and defined security SLAs.

• Lead threat‑modeling and Attack Tree exercises across robotic, autonomy, and C2 systems to identify vulnerabilities and define mitigations.

• Establish robust API security aligned with OWASP ASVS, implementing mTLS, key management, rate limiting, and secure session controls.

• Apply ROS 2 security principles, including DDS‑Security and namespace policies, to ensure authenticated and confidential message exchange.

• Define and support operational security requirements, covering log collection, forensics, and automated intrusion detection and prevention.

• Safeguard command integrity via CAC/PIV‑based client authentication, mutual TLS, and role‑based authorization enforcing least‑privilege access.

Qualifications:

• BS in CS/EE or related, or equivalent experience
• 6+ years in cybersecurity or secure software development, with no less than 2 years in a product security or offensive security role
• Direct experience with the Department of Defense (DoD) Risk Management Framework (RMF), NIST 800-53, CNSSI 1253, and documenting security controls for Authority to Operate (ATO) or Authority to Connect (ATC) packages in eMass
• Proven ownership of SAST/SCA/DAST and CI/CD security controls
• Strong Linux internals and hardening experience (Ubuntu and/or NixOS)
• Hands-on with cryptography engineering, key management, and secure boot chains
• Experience shipping signed firmware/OS images
• Proficiency in either Python or C++

Desired Experience & Qualifications: 

• Hands on experience with LabJack sensors, Dataspeed Drive By Wire Systems, Ouster Lidar, and CAN network systems
• Familiarity with industry cybersecurity standards such as ISO 21434 or UN R155
• Certifications: GIAC GPEN/GXPN, OSCP, ISC2 CSSLP
• Must be eligible to obtain and maintain a TS/SCI clearance

Benefits:

Overland AI believes in creating a work environment that you look forward to embracing every day.

• The salary range for this position is $170K to $200K annually  
• Equity compensation
• Best-in-class healthcare, dental and vision plans.
• Unlimited PTO
• 401k with company match
• Parental leave

Location:

This position will be located in Seattle, WA.

Overland AI is an Equal Opportunity Employer. We do not discriminate on the basis of race, color, religion, creed, sex, sexual orientation, gender identity or expression, national origin, age, marital status, disability, genetic information, protected veteran or military status, or any other status protected by applicable law.

This position may involve access to export-controlled technology. Employment is contingent on the ability to comply with U.S. export control laws.

Overland AI provides reasonable accommodations for qualified individuals with disabilities and disabled veterans during the application process. Please contact [[email protected]] to request an accommodation.