Lead AI Security Engineer - MCP Security

Description

• Invoice auditing for logistics services
• Ship and maintain production-ready reference implementations and hardened templates for Kubernetes-based deployments that product teams can adopt with minimal friction.
• Build and maintain vetted libraries, CLIs, shims, and middleware for token validation, scope evaluation, logging, and egress controls.
• Define policy-as-code for authorization, quotas, and abuse prevention. Measure effectiveness via auditability, adoption, and time-to-onboard metrics.
• Triage and reduce top security risks first: high-impact data exfiltration, prompt-injection exposure at the agent boundary, and unobserved egress from local servers.
• Define and implement scope-based authorization aligned to OAuth2/OIDC, including audience validation and JWKS discovery, with progressive adoption of enforceable scopes at the auth server.
• Buying & selling of logistics services
• Organizing shipment execution
• Interprets business and regulatory challenges to recommend best practices with the ability to explain them to non-technical staff.
• Influence platform roadmaps to enable enforceable scopes and centralized routing while maintaining clear separation of concerns between discovery, policy enforcement, and deployment.
• Lead cross-functional technical design with other Trimble security and platform teams to make the MCP gateway a first-class platform capability, including consent flows and registration in API Cloud.
• Write and review code for gateways, policy enforcement, developer tooling, and integrations. Contribute high-quality code, tests, and documentation while leading technical direction.
• Organizing dock, yard, truck, and driver schedules
• Operate as a Lead/Specialist: interpret internal and external challenges, recommend best practices, and lead others to solve complex problems with minimal oversight.
• Integrate static and supply-chain scanning into CI for MCP servers. Automate checks in registration and deployment pipelines.
• Publish developer guidance and guardrails for remote and local MCP scenarios. Provide vetted libraries and patterns for token validation, scope evaluation, and logging.
• Architect, implement, and maintain a secure ingress pattern for remote MCP (Model Context Protocol )servers behind an authenticated gateway, including policy enforcement, request logging, rate limiting, and abuse detection.
• Partner with agent teams to align tool metadata linting, scope-to-tool mapping, and safety checks at the agent and gateway layers.

Requirements

• Build or be able to adapt to egress controls and telemetry for remote and local/stdio MCP servers, including developer-friendly proxies, tagging, and baseline logging.
• Specialized depth in security-focused application development with the ability to lead others on complex issues.
• Proficiency in one or more of: Python, TypeScript, .NET, or Java for platform, services, and tooling. Ability to choose the right tool for the component.
• Understanding of the current agent/MCP ecosystems and AI-specific risks, with a bias for controls at the tool, agent, and layers rather than intrusive network overseers.
• Deep hands-on expertise with OAuth2/OIDC, scopes, consent, and token validation patterns. Experience evolving toward enforceable scopes at the authorization server.
• Works independently, receives guidance only on the most complex situations.
• Experience translating security policy into policy-as-code and enforcing it through code-written integrations is a plus.
• Communicates difficult concepts, negotiates trade-offs, and influences across teams.
• Understanding Kubernetes architecture and platform engineering fundamentals, including container security, service identity, and secret management.

Benefits

Training + Development

Interview process

Visa Sponsorship

Security clearance