Staff, Security Engineer (App & Product Sec)

At Sprinter Health, our mission is reimagining how people access care by bringing it directly to their homes. Nearly 30% of patients in the U.S. skip preventive or chronic care simply because they can’t get to a doctor’s office. For many, the ER becomes their first touchpoint with the healthcare system, driving over $300B in avoidable costs every year.

By using the same technologies that power leading marketplace and last-mile platforms, we deliver care where people are, especially those who need it most. So far, we’ve supported more than 2 million patients across 22 states, completed 130,000+ in-home visits, and maintained a 92 NPS. Our team of clinicians, technologists, and operators has raised over $125M from investors like a16z, General Catalyst, GV, and Accel and enjoys multi-year runway.

We’re looking for a Staff Security Engineer to be Sprinter’s first dedicated security hire and help build the foundation for how security scales across the company.

This is a high-ownership role for someone who can operate strategically and hands-on. You’ll define our security roadmap, strengthen our cloud and application security posture, support HIPAA, SOC 2, and HITRUST readiness, and partner closely with engineering, product, IT, legal, operations, and leadership to make security a core part of how we build and operate.

As our first security function hire, you will not just execute against an existing program. You’ll help decide what the program should be. That includes designing controls, implementing tools, driving vulnerability management, supporting partner security reviews, improving IAM, embedding security into the SDLC, and helping Sprinter make smart risk decisions as we scale.

This role is ideal for someone who wants to build a security function from the ground up in a high-growth, mission-driven healthcare company.

We are a hybrid company based in the Bay Area with offices in both San Francisco and Menlo Park. For this role, we are also open to considering remote candidates. We will give priority to candidates who are based in or open to working from the San Francisco Bay Area.

• Build and lead Sprinter’s security program as the company’s first dedicated security hire

• Define and execute a practical security roadmap across cloud infrastructure, application security, compliance, identity, vendor risk, and incident readiness

• Design, implement, and maintain security controls that support HIPAA, SOC 2, and HITRUST requirements

• Partner with legal, product, IT, engineering, and operations teams to ensure ongoing audit readiness and compliance maturity

• Improve security across AWS and GCP environments, including IAM, networking, encryption, secrets management, and cloud-native application security

• Evaluate and implement security tooling for vulnerability management, cloud security posture management, security monitoring, DAST, and related needs

• Lead vulnerability management efforts across applications, infrastructure, cloud environments, and third-party systems

• Coordinate penetration testing efforts, work with external security partners, and drive remediation with engineering teams

• Embed security into the software development lifecycle through secure design reviews, CI/CD checks, developer guidance, and pragmatic security standards

• Own or support partner, customer, and vendor security reviews, including questionnaires, risk assessments, and remediation planning

• Strengthen identity and access management across internal systems, applications, and cloud environments

• Develop clear security policies, procedures, documentation, and reporting for internal teams and senior leadership

• Advise on AI security best practices as Sprinter adopts and builds AI-enabled systems, including data handling, model risk, application security, and privacy controls

• Build strong working relationships across teams so security is viewed as a partner to the business, not a blocker

• Spent 8+ years in security engineering, cloud security, application security, infrastructure security, DevSecOps, or related roles

• Built or meaningfully scaled a security function, security program, or major security domain in a high-growth environment

• Operated as a senior technical owner for security across engineering, infrastructure, product, IT, and compliance stakeholders

• Worked hands-on with cloud security in AWS, GCP, or similar cloud environments

• Implemented security controls that support compliance frameworks such as HIPAA, SOC 2, HITRUST, ISO 27001, or similar

• Led vulnerability management, penetration testing coordination, remediation workflows, and security assessments

• Partnered with engineering teams to embed security into architecture, development, CI/CD, and production operations

• Worked with identity and access management systems such as Okta, Auth0, SSO, MFA, RBAC, or related tooling

• Evaluated, selected, or implemented security tools such as SIEM, DAST, vulnerability scanners, CSPM, endpoint security, or monitoring platforms

• Used scripting or infrastructure-as-code tools such as Python, Bash, Terraform, or similar to automate security workflows

• Communicated security risks, tradeoffs, and priorities clearly to technical and non-technical stakeholders

• Made practical risk decisions in environments where speed, ambiguity, compliance, and security all matter

• You’ve been the first security hire or an early security leader at a startup

• You’ve built security programs in healthcare, fintech, insurance, logistics, marketplace, or other regulated or operationally complex environments

• You have deep experience with HIPAA, SOC 2, HITRUST, or healthcare security and privacy requirements

• You’ve supported customer, partner, or enterprise security reviews in a B2B or healthcare environment

• You’ve helped prepare for or lead security audits and compliance assessments

• You have experience with AI security, including secure AI application development, model risk, data privacy, adversarial risk, or AI governance

• You’ve worked closely with product and engineering teams to make security usable, scalable, and developer-friendly

• You have experience with container security, Kubernetes, network security, endpoint security, or encryption standards

• You hold certifications such as CISSP, CISM, AWS Certified Security Specialty, CEH, or similar

We aim to complete the interview process within 2–3 weeks. It will usually consist of:

• Recruiter Screen: Background fit, motivation, and compensation alignment

• Hiring Manager Interview: Security leadership, technical depth, and first-of-function experience

• Technical Interview: Cloud security, application security, compliance, vulnerability management, and security architecture

• Cross-Functional Interview: Collaboration style and ability to partner with engineering, product, IT, legal, and operations

• References: Validation of performance, judgment, and working style

• Meaningful pre-IPO equity

• Medical, dental, and vision plans 100% paid for you and your dependents

• Flexible PTO + 10 paid holidays per year

• 401(k) with match

• 16-week parental leave policy for birthing parent, 8 weeks for all other parents

• HSA + FSA contributions

• Life insurance, plus short and long-term disability coverage

• Free daily lunch in-office

• Annual learning stipend

• Relocation assistance

• AWS

• GCP

• Terraform and infrastructure-as-code tooling

• TypeScript

• Python

• Bash

• CI/CD systems

• Okta

• Auth0

• SIEM, DAST, vulnerability management, and cloud security tooling

• Identity, access, and secrets management systems

• Cloud networking and infrastructure tooling

• Container and deployment systems

• Serverless AWS, including AppSync, DynamoDB, Lambda, Amplify, CloudFormation, and Node

• GraphQL

• React Native and React Native for Web

Sprinter Health is an equal opportunity employer. We value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, disability status, or other protected classes.

Beware of recruitment fraud and scams that involve fictitious job descriptions followed by false job offers.

If you are applying for a job, you can confirm the legitimacy of a job posting by viewing current open roles on our official Sprinter Health Careers website. All legitimate job postings will require an application to be made directly on our official Sprinter Health Careers website. Job-related communications will only be sent from email addresses ending in @sprinterhealth.com. Please ensure that you’re only replying to emails that end with @sprinterhealth.com.