Cal.com
IC3 Security Engineer
Cal.com
$110k
Worldwide (Remote)
Apply Now ->
TypeScript
Node.js
Next.js
Cybersecurity

IC3 Security Engineer

Overview

This is a hands-on engineering role focused on cloud security, in-app cryptography, dependency hygiene, anti-abuse, observability, and AI-assisted detection.

Job Description

You will work closely with engineering, foundation, and trust & safety teams to proactively detect and reduce risk before users feel it. This role is globally remote, async by default, and built for engineers who take ownership of security and incident response.

Responsibilities

  • - Harden our AWS footprint: IAM policy design, network segmentation, secrets handling, KMS-backed access, and workload isolation
  • - Lock down our Cloudflare edge: WAF rules, bot management, rate limits, DDoS posture, Zero Trust access, and DNS hygiene
  • - Secure our Vercel surface: project and team permissions, environment variable handling, deployment protection, and preview-URL exposure
  • - Plan, build, and maintain in-app encryption primitives across at-rest, in-transit, field-level, and token-level surfaces
  • - Own the key lifecycle end-to-end: generation, storage, rotation, revocation, and audit.
  • - Drive dependency hygiene end-to-end: SCA tooling, advisory triage, and pushing fixes through to merged-and-deployed, not just 'ticket filed'
  • - Define and enforce patch SLAs for critical, high, and medium-severity findings, and keep the queue from going stale
  • - Own the throughput of our security scanning programs and the dashboards that report on them
  • - Improve the controls that reduce and prevent scam usage of Cal.com: fraudulent signups, abuse of bookings, payment fraud patterns, phishing-via-event-types, and spam at our edges
  • - Drive a step-change in our security observability so on-call engineers get the data they need within seconds, not hours
  • - Integrate AI into our abuse and security pipeline to flag, classify, and block malicious users faster than humans can
  • - Mentor other engineers on secure coding and be a primary point of contact during incidents in your area

Required Skills

  • - Top-tier TypeScript and a deep understanding of how a modern Node.js / Next.js / Prisma stack runs in production
  • - Strong hands-on AWS expertise: IAM, KMS, VPC, networking, logging, and the common managed services we lean on
  • - Production experience securing infrastructure on Cloudflare and Vercel
  • - Practical, applied cryptography: symmetric/asymmetric primitives, envelope encryption, key rotation patterns, JWT and session security, and secrets management
  • - Track record running and improving security scanning programs across dependency, code, secret, IaC, and container surfaces
  • - Hands-on experience with abuse and fraud detection on a consumer or SaaS platform
  • - Experience integrating AI or LLMs into security or trust & safety workflows, with the evals to prove they are working
  • - Strong knowledge of common web application attack classes (the OWASP greatest hits, plus business-logic abuse and account takeover) and the controls that stop them
  • - Clear written communication and calm incident communication
  • - High autonomy mindset and comfort working in a remote, async-first environment

Benefits

  • - Work from anywhere, anytime, fully remote & async
  • - Earn the same salary no matter where you live
  • - No standups, no micromanagement, no unnecessary calls
  • - Real flexibility, take time for life stuff, no approval needed
  • - Work in your own flow, pajamas welcome
  • - 30 paid OOO days per year (wherever you are in the world)
  • - Yearly team retreats in beautiful locations
  • - People-first culture, stable, family-friendly, kind
Apply Now ->

About the company

Cal.com

Meet Cal.com, the event-juggling scheduler for everyone. Focus on meeting, not making meetings. Free for individuals.


All Job Openings at Cal.com