Staff Site Reliability Engineer, Security

Stord is The Consumer Experience Company, powering seamless checkout through delivery for today's leading brands. Stord is rapidly growing and is on track to double our revenue in the next 18 months. To meet and exceed this target, Stord is strategically scaling teams across the entire company, and seeking energetic experts to help us achieve our mission. By combining comprehensive commerce-enablement technology with high-volume fulfillment services, Stord provides brands a platform to compete with retail giants. Stord manages over $10 billion of commerce annually through its fulfillment, warehousing, transportation, and operator-built software suite including OMS, Pre- and Post-Purchase, and WMS platforms. Stord is leveling the playing field for all brands to deliver the best consumer experience at scale. With Stord, brands can increase cart conversion, improve unit economics, and drive sustained customer loyalty. Stord’s end-to-end commerce solutions combine best-in-class omnichannel fulfillment and shipping with leading technology to ensure fast shipping, reliable delivery promises, easy access to more channels, and improved margins on every order. Hundreds of leading DTC and B2B companies like AG1, True Classic, Native, Seed Health, quip, goodr, Sundays for Dogs, and more trust Stord to deliver industry-leading consumer experiences on every order. Stord is headquartered in Atlanta with facilities across the United States, Canada, and Europe. Stord is backed by top-tier investors including Kleiner Perkins, Franklin Templeton, Founders Fund, Strike Capital, Baillie Gifford, and Salesforce Ventures. We are seeking a scrappy, high-ownership Staff Site Reliability Engineer (SRE) to join our lean, fast-moving SRE team. This is a security-focused engineering role rather than a policy or audit one. You'll write code, build automation, integrate scanners into CI/CD, ship Terraform modules the rest of the team can adopt, and drive Dependabot triage with engineering teams. Together, you'll define what "secure by default" actually looks like in our GCP environment and GitHub organization, then make it operational. Why This Role A clear charter with a foundation to build on. Cloud security posture, vulnerability/dependency management, and security solution engineering are yours. The pieces exist (scanners, IAM controls, edge protections, GitHub baselines), but no one has stitched them into a coherent program. You will. Build the program, then scale it through the team. You're shipping security tooling, automation, and IaC modules the rest of SRE can run. The work scales through the team rather than centralizing on one person. Real platform surface area. You're working across GKE workloads, Istio mesh, Cloud Armor, Cloudflare edge, GitHub Actions supply chain, and GCP IAM. The kind of stack with enough surface area that you can make a measurable impact in your first quarter. High-signal moment in the industry. Post-Shai-Hulud, post-XZ, post-everything: CI/CD supply chain hardening, secret management, and short-lived credentials are no longer aspirational. You'll be implementing security best practices, not just documenting them. What You'll Build Cloud Security Posture Management Assess and harden Stord's GCP footprint (GKE, IAM, Cloud Armor), and codify the baseline in Terraform and policy-as-code where it makes sense. Build continuous posture monitoring against that baseline, with a published gap list and remediation schedule. Drive the evaluation, integration, and rollout of new security tooling as the program matures. You'll lead the conversations and recommendations on what we adopt, what we build in-house, and what we sunset. Vulnerability and Dependency Management Establish and automate the vulnerability and dependency remediation workflow across engineering teams: triage cadence, ownership model, severity-based SLAs, and the tracking infrastructure that drives closure. Own Dependabot configuration and triage workflows across our GitHub organization, plus secret scanning, push protection, and response workflows for any secrets that surface. Build supply-chain controls into CI/CD: provenance, dependency review, lockfile policies, build attestation where it pays off. Wire container image scanning and DAST/network scanning programs into the same workflow so vulnerabilities don't slip through the cracks between layers. Security Solutions Engineering Build security capabilities that the broader SRE team can run as part of their normal operating model: Terraform modules, Cloud Armor rules, Istio authorization policies, Cloudflare configuration, scanner pipelines, and custom automation that fills gaps in off-the-shelf tooling. Ship documentation, runbooks, and self-service tooling that make your designs portable to the rest of the team, so the program continues to function smoothly through handoffs and rotations. Set the engineering bar for security work inside SRE: code review standards, IaC patterns, "secure by default" templates for new services. Partner cross-functionally with engineering teams on app security questions, IT on identity and endpoint boundaries, and IT/compliance on occasional SOC 2 evidence pulls, without owning those domains. What We're Looking For Required Deep GCP and GKE security experience. You've hardened production Kubernetes on GCP: workload identity, RBAC, network policies, Pod Security Standards, image provenance. You know where the sharp edges are and which knobs actually matter. Dependabot and secret scanning at scale. Hands-on with Dependabot configuration, triage workflows, and remediation tracking. Comfortable rolling out GitHub secret scanning organization-wide, including push protection and response workflows for found secrets. CI/CD supply chain hardening. You've designed or operated controls against the threat model that produced Shai-Hulud, XZ, and SolarWinds. Familiar with SLSA, provenance