Security Engineer 2

About Media.net

Media.net is a leading global ad tech company, building innovative products and solutions for advertisers and publishers. Media.net creates the most transparent and efficient path for ad budgets to become publisher revenue, while delivering meaningful value to advertisers, publishers, app developers, and end users across the open web.

We are one of the world’s largest independent contextual advertising businesses, with one of the industry’s most comprehensive advertising technology portfolios. Media.net powers major publishers and ad-tech platforms across formats, including display, video, mobile, native, search, and local. Our platform manages high-quality ad supply across 500,000+ websites and is licensed by the biggest publishers, ad networks, and technology partners worldwide.

Beyond our core advertising business, Media.net also operates at scale in performance-driven consumer acquisition, app development and distribution, and strategic technology investments. These efforts are supported by one of the world’s largest independent software development engines, enabling us to innovate rapidly and build products used across global markets.

Media.net is home to 1,300+ employees, with key operations across North America, Europe, and Asia. Our US headquarters is in New York, and our global headquarters is in Dubai. Across 50+ demand partners, 21K+ publishers, and a growing portfolio of products and services, we take great pride in driving trusted, transparent, and scalable results

About the Role

We're looking for a Site Security Engineer (SSE) — the "SRE of security" — to embed security thinking deeply into our engineering culture. Like an SRE applies reliability principles at scale, you'll apply the same rigor to security: automating detection, hardening infrastructure, eliminating vulnerabilities systematically, and ensuring our platform remains resilient against threats that evolve daily.

This is a hands-on, engineering-first role. You'll work alongside SRE and development teams, advise on security tooling and architecture, participate in incident response, and own vulnerability management end-to-end — all within a small, high-trust security team.

Key Responsibilities

1. Security Engineering & Automation

• Write scripts and automation (Python and/or Bash) to detect, respond to, and reduce security risk at scale — not manual one-off fixes
• Configure security tooling integrated into CI/CD pipelines (SAST, DAST, SCA, secrets detection), working alongside SREs who own the pipeline infrastructure
• Advise SREs on deployment, configuration, and tuning of open-source security tools (e.g. Falco, Trivy, Wazuh, Nuclei, OpenVAS) based on hands-on familiarity

2. Cloud & Container Security

• Assess and harden cloud security configurations — IAM policies, VPC controls, Security Command Center, Cloud Armor, logging and alerting
• Evaluate and improve container security posture across Docker/Kubernetes workloads — image scanning, runtime detection, privilege controls, network policies

3. Vulnerability Management

• Own vulnerability triage workflows in DefectDojo, applying CVSS and EPSS scoring to prioritize findings meaningfully
• Communicate findings clearly to development teams and collaborate on remediation — translating technical risk into business context without blame

4. VAPT & Network Security

• Conduct automated and manual VAPT across web applications, APIs, networks, and container workloads
• Use tools including Nmap, Burp Suite, Amass, Nuclei, Shodan, Censys, Subfinder Trivy, Metasploit, and Wireshark for testing, and recommend additional tooling where gaps exist
• Perform network security assessments covering firewall rules, segmentation, and exposure analysis

5. Incident Response Support

• Actively support the Incident Response team during security events arising from monitoring and alerting pipelines
• Investigate alerts from SIEM and observability tooling in collaboration with the SOC
• Contribute to post-incident analysis and help close the loop on root causes

6. Threat Intelligence

• Actively track the threat landscape — CVEs, threat actor TTPs, and advisories relevant to adtech, programmatic infrastructure, and open-source dependencies
• Surface actionable intelligence to the team before issues become incidents

Required Skills & Experience

• 4+ years of hands-on security experience — professional, bug bounty, CTF, or lab-based practice all considered
• Scripting is mandatory — proficiency in Python and/or Bash for automation, tooling, and investigation workflows
• Strong working knowledge of cloud security services and configuration hardening
• Solid experience with container technologies (Docker, Kubernetes) and associated security practices
• Proficiency with Nmap, Burp Suite, Amass, Nuclei, Shodan, Censys, Subfinder Trivy, Metasploit, wireshark and a capability to deploy and configure other open-source tooling
• Experience with DefectDojo or equivalent VM platforms; clear understanding of CVE, CVSS, and EPSS is a bonus
• Comfortable and efficient in both Linux and Windows terminal environments — log parsing, process investigation, system forensics
• Understanding of CI/CD security — SAST, DAST, SCA, secrets scanning — and the ability to configure those controls even if not owning the pipeline
• Strong communicator — able to work effectively with SREs, developers, and non-technical stakeholders

Nice to Have

• Familiarity with CIS RAM, NIST CSF, and secure SDLC principles
• Exposure to SIEM platforms (Wazuh, Splunk, ELK)
• Bug bounty history, CTF participation, or open-source security contributions
• Certifications: OSCP, GPEN, GCP Security, or equivalent

Why Join Us

• Small security team = high ownership, fast decisions, and direct visibility to leadership
• Work at the intersection of security and engineering, not siloed in a GRC function
• Collaborate closely with SRE, NOC, SOC, and product engineering teams
• Shape how security engineering is practiced at one of adtech's most recognized platforms