Why This Job is Featured on The SaaS Jobs
Security SaaS has become a foundational layer for modern software delivery, and StepSecurity sits in a niche that is tightly coupled to how SaaS products are built and shipped: the software supply chain. With a small team and a platform spanning developer environments, open source dependencies, and CI/CD, the role is positioned close to the operational reality of SaaS engineering rather than a single isolated service.
For a SaaS career, this kind of backend work tends to compound. Building fault tolerant services that observe and respond to behavior across the development lifecycle translates well to other SaaS domains that rely on telemetry, automation, and platform reliability. The Golang and cloud infrastructure focus also maps to common patterns in scalable SaaS backends, where performance, secure defaults, and clear service boundaries matter over time.
This role is likely to suit an engineer who prefers end to end ownership and pragmatic systems building, and who wants daily exposure to security as a product constraint rather than a separate specialty. It also fits someone early to mid career who learns best by working close to core platform decisions in a smaller SaaS organization.
The section above is editorial commentary from The SaaS Jobs, provided to help SaaS professionals understand the role in a broader industry context.
Job Description
About StepSecurity
StepSecurity prevents, detects, and responds to software supply chain attacks by analyzing behavior across the full software development lifecycle for both developers and AI coding agents. We are building a vertical AI agent for supply chain security across three pillars: securing AI agents on developer machines, OSS package security, and CI/CD security, covering the entire agentic pipeline from dev environment to cloud.
Founded by Varun Sharma (ex-Microsoft, 21 years, led supply chain security for Azure) and Ashish Kurmi (ex-Uber, Microsoft, Plaid, 17 years), we are a 16-person team working on hard problems at the intersection of security, AI, and open source.
Why this role is exciting
- We are at the forefront of supply chain security research and product development. We were the first to detect several major supply chain attacks in 2025 and 2026, including the axios npm compromise and tj-actions. (https://www.stepsecurity.io/newsroom)
- Our research is regularly cited by Bloomberg, TechCrunch, Hacker News, and Dark Reading. The US Cybersecurity and Infrastructure Security Agency (CISA) has published advisories citing StepSecurity. (https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem)
- Beyond our enterprise customers, StepSecurity has been adopted by more than 15,000 open-source projects, including projects from Microsoft, Google, Amazon, and Datadog.
- You will work on high-impact, zero-to-one problems with meaningful early-stage equity upside.
What you'll do
- Design and build backend services in Golang that power our supply chain security platform.
- Build scalable, fault-tolerant systems that operate across the full software development lifecycle.
- Work hands-on in a fast-moving, early-stage environment where you own problems end to end.
What we're looking for
- 2–5 years of experience with strong engineering fundamentals.
- Golang backend programming experience.
- Background working with AWS, Azure, or GCP.
- Experience designing scalable and fault-tolerant systems.
- Prior early-stage startup experience.
- An AI-native mindset and comfort in a hands-on, zero-to-one environment.
- A security background is a plus but not required.
