Corporate Security Engineer

<p data-renderer-start-pos="1"><strong data-renderer-mark="true">About us:</strong></p> <p data-renderer-start-pos="12">Branch is on a mission to empower workers with financial freedom. We do this by helping companies accelerate payments and providing working Americans with accessible, free financial services. We’re committed to building and delivering more inclusive, transparent, and frictionless financial products.</p> <p data-renderer-start-pos="314">Our goal of empowerment extends to our own employees, too. Have a great idea? Share it today and it might just get implemented tomorrow. As a member of our team, your voice and creativity matter—and they can directly impact our products, company, and culture.&nbsp;</p> <p data-renderer-start-pos="576">We not only focus on attracting great talent from across the country, but also on building teams that help that talent thrive. That means valuing a diversity of opinions and working styles, while creating a shared belief in innovation, initiative, and winning together.</p> <p data-renderer-start-pos="847">Come join our team as we develop new ways to improve the lives of working Americans.</p> <p data-renderer-start-pos="1"><strong data-renderer-mark="true">About the role:</strong></p> <p>The Corporate Security Engineer is the dedicated owner of Branch’s endpoint security and insider risk programs. You will be responsible for keeping every Branch laptop, browser session, and corporate identity safe from external threats and inadvertent or malicious misuse — across a fully remote, fintech workforce.</p> <p>In this role, you will operate and continuously mature our core corporate security stack — CrowdStrike Falcon for endpoint detection and response, ThreatLocker for application allowlisting and ringfencing, Island Enterprise Browser for managed web access and data egress controls, and Google Workspace for identity, mail, and collaboration security. You will partner closely with People Operations, Legal, and GRC to translate policy into enforced technical controls, investigate insider risk signals end-to-end, and respond to corporate-side security incidents in a measured, programmatic way.</p> <p>This is the right role for a hands-on engineer who wants to own the corporate attack surface, build the insider risk function from a blueprint into a running program, and have visible impact on how a fast-moving fintech protects its workforce.</p> <p><strong>Responsibilities include, but are not limited to:</strong></p> <p><strong>Endpoint Security &amp; Engineering</strong></p> <ul> <li><strong>Own the day-to-day administration of CrowdStrike Falcon</strong> — prevention policies, detection tuning, custom IOAs, USB device control, and Real Time Response runbooks across the entire Branch endpoint fleet.</li> <li><strong>Operate and mature ThreatLocker</strong> — build and maintain application allowlisting, ringfencing, storage control, and elevation policies; reduce learning-mode exceptions over time and drive measurable hardening progress.</li> <li><strong>Administer Island Enterprise Browser</strong> — define and enforce browser-level policies for SaaS access, copy/paste, downloads, screenshot, and extension governance; align browser controls with insider risk and DLP objectives.</li> <li><strong>Drive endpoint hardening and configuration baselines</strong> for macOS and Windows. MDM (Jamf / Intune), patch SLAs, FileVault/BitLocker, and CIS-aligned benchmarks.</li> <li><strong>Maintain a defensible inventory</strong> of endpoints, agents, and coverage gaps, and drive remediation when devices fall out of compliance.</li> <li><strong>Own corporate-side incident response</strong> for endpoint, identity, email, and insider events — from initial triage through containment, eradication, recovery, and post-incident review.</li> </ul> <p><strong>Insider Risk &amp; Data Protection</strong></p> <ul> <li><strong>Build and run Branch’s insider risk program</strong> — from defining risk indicators (data exfiltration, anomalous access, departing employee behavior) to building detections and response playbooks across endpoint, browser, and SaaS telemetry.</li> <li><strong>Operate Data Loss Prevention controls</strong> across Google Workspace (Drive, Gmail), Island Browser, and endpoint channels; investigate DLP events end-to-end, balancing user friction against data-protection outcomes.</li> <li><strong>Lead onboarding, offboarding, transitions security workflows</strong> in partnership with People Operations — enforce least-privilege access, data return at offboarding, and time-bounded monitoring of high-risk departures, ultimately skilling up our IAM team</li> <li><strong>Triage and investigate insider risk cases</strong> with discretion, partnering with Legal, HR, and GRC on documentation, evidence handling, and outcomes; preserve chain-of-custody on every case.</li> <li><strong>Develop user-facing guidance and training</strong> that reduces accidental risk — phishing reporting, secure handling of customer data, and acceptable use of AI and SaaS tools.</li> </ul> <p><strong>Security Operations &amp; Engineering</strong></p> <ul> <li><strong>Harden Google Workspace</strong> — admin role hygiene, context-aware access, OAuth third-party app governance, advanced phishing/malware protection, and audit logging into the SIEM.</li> <li><strong>Automate repetitive corporate security work</strong> using Python or Bash and orchestration platforms (e.g., Tines, Torq, XSOAR) — alert enrichment, user notifications, evidence collection, and offboarding checks.</li> <li><strong>Contribute to the corporate vulnerability management program</strong> for endpoints and SaaS — prioritization, SLA tracking, and cross-functional remediation.</li> <li><strong>Serve as a security consultant and escalation point</strong> for the broader business on secure configurations, patching, exception requests, and acceptable-use questions.</li> </ul> <p><strong>Qualifications:</strong></p> <ul> <li>3–5 years of experience in a corporate security, endpoint security, security operations, or insider risk role with increasing responsibility.</li> <li>Hands-on experience with EDR — ideally CrowdStrike Falcon — including detection tuning, custom IOAs/IOCs, and Real Time Response investigations.</li> <li>Working experience with application control or zero-trust endpoint tooling (ThreatLocker, Airlock, AppLocker, or equivalents) — you understand the operational reality of allowlisting at scale.</li> <li>Familiarity with enterprise / managed browsers (Island, Talon, Chrome Enterprise) and the data-egress and SaaS access controls they enable; comfort designing browser policy is a strong plus.</li> <li>Strong Google Workspace security background — admin console controls, context-aware access, OAuth governance, and DLP.</li> <li>Demonstrated ability to investigate incidents end-to-end — phishing, malware, account compromise, DLP events, and insider risk cases — with disciplined documentation.</li> <li>Solid fundamentals in identity and access management, endpoint hardening, MDM, logging, and SIEM-based detection.</li> <li>Scripting proficiency in Python and/or Bash for automation and tooling; experience with security orchestration platforms (Tines, Torq, XSOAR) is a plus.</li> <li>Strong written and verbal communication — able to explain endpoint and insider risk concepts to non-security partners in HR, Legal, and the executive team.</li> <li>Strong ethics and discretion — this role regularly handles confidential personnel and investigative information.</li> <li>Familiarity with security frameworks such as ISO 27001, SOC 2, PCI-DSS, NIST CSF, and CIS Benchmarks.</li> </ul> <p data-renderer-start-pos="1033"><strong data-renderer-mark="true">Compensation:</strong></p> <p data-renderer-start-pos="1048">The base salary range for this role is&nbsp;<span class="fabric-background-color-mark" data-renderer-mark="true" data-background-custom-color="#fedec8">$125-135k. </span>The salary range displayed reflects an average base salary range for the position across all the U.S. The base salary offered to an applicant could be higher or lower based on each applicant's specific skill set, depth of experience, relevant education or training, etc.&nbsp;</p> <p data-renderer-start-pos="1365"><strong data-renderer-mark="true">Location:</strong></p> <p data-renderer-start-pos="1376">This position is classified as REMOTE<strong data-renderer-mark="true"> </strong>within the United States of America.</p> <p data-renderer-start-pos="1452"><em data-renderer-mark="true">We are unable to hire candidates located outside of the domestic U.S.</em></p> <p data-renderer-start-pos="1523"><strong data-renderer-mark="true">Benefits:&nbsp;</strong></p> <ul> <li data-renderer-start-pos="1537">Market-leading medical, dental, and vision insurance&nbsp;</li> <li data-renderer-start-pos="1594">Stock options</li> <li data-renderer-start-pos="1611">Free Premium-Tier Origin Financial Wellness subscription</li> <li data-renderer-start-pos="1671">Monthly home-office stipend</li> <li data-renderer-start-pos="1702">401k (TransAmerica)</li> <li data-renderer-start-pos="1725">12-weeks paid parental leave for birthing and non-birthing parents</li> <li data-renderer-start-pos="1795">Flexible time off + sick and safe time</li> <li data-renderer-start-pos="1837">11 paid company holidays</li> <li data-renderer-start-pos="1837">Branch@Branch Same Day Pay Option</li> </ul> <p data-renderer-start-pos="1865"><strong data-renderer-mark="true">Working at Branch</strong></p> <p data-renderer-start-pos="1884">A remote-first company with employees located throughout the U.S., Branch emphasizes transparency, accountability, and trust to create a collaborative environment where our product, engineering, marketing, customer support, customer success, and sales teams can all thrive together.&nbsp; Learn more about what we do in this <a class="_mizu1p6i _1ah3dkaa _ra3xnqa1 _128mdkaa _1cvmnqa1 _4davt94y _4bfu1r31 _1hms8stv _ajmmnqa1 _vchhusvi _kqswh2mm _syaz14q2 _ect41gqc _1a3b1r31 _4fpr8stv _5goinqa1 _f8pj14q2 _9oik1r31 _1bnxglyw _jf4cnqa1 _30l314q2 _1nrm1r31 _c2waglyw _1iohnqa1 _9h8h16c2 _1053w7te _1ienw7te _n0fxw7te _1vhvg3x0" href="https://cdn.bfldr.com/CUTY2K5N/as/jrr3hk6csnwjhrx8phg6ppnj/The_Branch_Manifesto" data-renderer-mark="true"><u data-renderer-mark="true">video</u></a>!</p> <p data-renderer-start-pos="2212">Our collaborative spirit has helped us become an award-winning FinTech company, with Branch’s innovation and workplace recognized across industries. Branch has been honored by Inc., the Webby Awards, Benzinga FinTech Awards, FinTech Breakthrough Awards, Top Workplaces USA, Great Places to Work, and EY Entrepreneur of the Year, Heartland, among others.&nbsp;&nbsp;</p> <p data-renderer-start-pos="2569">Learn more about our culture, approach, technology, and people here: <span data-inline-card="true" data-card-url="https://www.branchapp.com/about" data-annotation-inline-node="true" data-annotation-mark="true" data-renderer-start-pos="2638"><span class="loader-wrapper"><span class="hover-card-trigger-wrapper" data-testid="hover-card-trigger-wrapper"><a class="_1yt4x7n9 _2rko12b0 _v56415x0 _1e0c1nu9 _16d9qvcn _syaz14q2 _1rkwglyw _4cvx15qp _19it7r9e _bfhkhp5a _1a3b1r31 _4fprglyw _5goinqa1 _9oik1r31 _1bnxglyw _jf4cnqa1 _1nrm1r31 _c2waglyw _1iohnqa1 _uizt1kdv _nt751r31 _49pcglyw _1hvw1o36 _1372tlke _7ehi1s3c _1j5pglyw _1di6fg4m" href="https://www.branchapp.com/about" data-testid="inline-card-resolved-view">https://www.branchapp.com/about</a></span></span></span></p> <p data-renderer-start-pos="2642">&nbsp;</p> <p data-renderer-start-pos="2645"><em data-renderer-mark="true">Branch is an equal opportunity employer and we value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.</em></p> <p data-renderer-start-pos="2891"><em data-renderer-mark="true">Must be currently authorized to work in the USA without sponsorship or transfer.</em></p> <p data-renderer-start-pos="2973"><em data-renderer-mark="true">No third-parties, please.</em></p> <p data-renderer-start-pos="3000"><em data-renderer-mark="true"><u data-renderer-mark="true">View how Branch collects your personal data </u></em><a class="_mizu1p6i _1ah3dkaa _ra3xnqa1 _128mdkaa _1cvmnqa1 _4davt94y _4bfu1r31 _1hms8stv _ajmmnqa1 _vchhusvi _kqswh2mm _syaz14q2 _ect41gqc _1a3b1r31 _4fpr8stv _5goinqa1 _f8pj14q2 _9oik1r31 _1bnxglyw _jf4cnqa1 _30l314q2 _1nrm1r31 _c2waglyw _1iohnqa1 _9h8h16c2 _1053w7te _1ienw7te _n0fxw7te _1vhvg3x0" href="https://www.branchapp.com/legal/ccpa" data-renderer-mark="true"><em data-renderer-mark="true"><u data-renderer-mark="true">here</u></em></a><em data-renderer-mark="true"><u data-renderer-mark="true">.</u></em></p>