Google's product security team in Warsaw protects infrastructure and customer data across a broad portfolio of web and mobile products. This is an engineering-heavy security role - you will write production code (Rust for performance-critical security primitives, Go for security tooling, Python for automation), not just configure SIEMs.

Core responsibilities: perform threat modelling (STRIDE) for new product features and APIs; build and maintain SAST/DAST tooling integrated into the CI pipeline (CodeQL, Semgrep rules); conduct penetration testing of internal web applications and review findings with owning teams; design and implement security controls at the infrastructure level (eBPF-based syscall filtering, Kubernetes PodSecurityAdmission policies, Binary Authorization); and respond to security incidents - lead investigations, contain threats, and write detailed postmortems.

You will be part of a security review rotation: every new service launch goes through a security review checklist, and you will own 3–4 reviews per quarter. You will run internal security training workshops for engineering teams (secure coding in Go, secrets management best practices, OAuth2/OIDC flows).

Security clearance background is preferred but not required. The compensation package has been approved above the standard engineering band.

• Rust
• Go 1.22
• Python 3.12
• Linux (kernel internals
• seccomp
• eBPF)
• gVisor
• OpenSSF toolchain
• SAST/DAST (CodeQL
• Semgrep)
• Burp Suite
• Wireshark
• GCP (Security Command Center
• Binary Authorization
• Cloud Armor)
• Kubernetes (Pod Security Admission)
• OpenTelemetry (security telemetry)
• OWASP Top 10
• threat modelling (STRIDE)

Step 1 - Recruiter screen (30 min): background check and export-control eligibility confirmation.

Step 2 - Security-focused coding (60 min, live): write a Rust or Go utility with a specific security property - e.g., a constant-time comparison function, a parser for a potentially adversarial input format, or a simplified TLS certificate chain verifier. We evaluate correctness and security reasoning.

Step 3 - Threat modelling exercise (60 min): given a system architecture diagram of a fictional web application, identify threats using STRIDE, propose mitigations, and prioritise them by risk. We evaluate completeness and communication.

Step 4 - Infrastructure security deep-dive (45 min): container security (Linux namespaces, seccomp, capabilities), Kubernetes network policies, and cloud IAM least-privilege design.

Step 5 - Leadership panel (30 min): how you communicate security risk to non-security engineers, how you handle resistance to security requirements.

Step 6 - Offer: within 7 business days.