DevSecOps Engineer

ABOUT VERLOOP:

We are the world's leading customer support automation platform. We help B2C businesses automate their conversations with customers and make them highly personalized. This enables them to run an automated 247 customer engagement platform. Businesses use Verloop as an end-to-end chat platform to automate customer support, generate more leads, qualify leads, push relevant offers, and more. Verloop's conversation chatbot is trained with our home-grown natural language processing and understanding layers that are built using advanced language models.

Verloop processes 60 M+ messages/day and achieves 94.56% accuracy, 92% support queries resolved, 100+ million unique users reached.

OUR VALUES:

At Verloop.io, we believe that the internet was the single largest revolution for global communication. It's how you can talk to your friends and family across the globe in seconds, and how we're talking to you right now. But even as technology was built to make it quicker and easier for people to talk to each other, businesses didn't buy in using old tools and older ideas. Verloop.io aims to achieve a single mission to help enterprise businesses help their customers better. From creating easier outreach to building more meaningful relationships, our technology-first focus empowers businesses to get the most out of every interaction.

In chasing this goal, we hold four key values close to our heart: Passion, Commitment, Leadership, Customer Fixation.

About the Role :

Today, security and compliance responsibilities are distributed across the CTO and the DevOps/SRE team. As we scale to more regulated enterprise clients (banking, healthcare), we need a dedicated person who can:

- Be the single point of contact for all customer security queries, vendor assessments, and compliance questionnaires

- Own and drive audit cycles (SOC 2 Type 2, ISO 27001, HIPAA) with our audit partner.

- Proactively identify and fix security gaps in our cloud infrastructure before they show up in VAPT reports

- Bridge the gap between security and DevOps someone who can write Kubernetes network policies as comfortably as they write SOC 2 control narratives

What You'll Work On :

Customer Security & Compliance (40%)

This is the most immediate and visible part of the job. Our enterprise customers banks, healthcare providers, large enterprises send detailed security questionnaires and conduct vendor risk assessments before and during engagements. You will be the person who owns these responses.

• Respond to customer security questionnaires (SIG, CAIQ, custom vendor assessments) with accurate, well-articulated answers. These cover encryption standards, data residency, access controls, incident response, business continuity, third-party risk, and AI-specific security typically 100250 questions per assessment.
• Handle live security calls and presentations with customer CISOs and security teams. You should be able to explain our architecture, security controls, and compliance posture confidently to a technical audience.
• Manage audit cycles end-to-end coordinate with CyberSapiens (our SOC 2 auditor), gather evidence, ensure controls are documented and operating, track remediation of findings, and deliver clean reports.
• Maintain and evolve compliance documentation security policies, SOA (Statement of Applicability), risk registers, VAPT remediation trackers, incident response plans, BCP/DR documentation.
• Drive certification transitions such as ISO 27001:2013 to ISO 27001:2022, and scope expansion for new compliance requirements (HIPAA for healthcare clients, UAE NESA/PDPL for regional requirements).

Cloud Security & Infrastructure Hardening (35%)

You won't just write security documents you'll get your hands dirty in the infrastructure. Our stack runs on GKE and AKS clusters with MongoDB, Redis, and PostgreSQL databases, fronted by WAFs and load balancers.

• Kubernetes security implement and enforce pod security standards, network policies, RBAC, container image scanning, registry controls, and secrets management. Review and harden Helm charts and deployment manifests.
• Cloud security posture management audit and harden IAM policies across GCP and Azure, enforce least privilege, manage service account governance, and implement preventive guardrails.
• Network security VPC architecture, firewall rules, IPSEC VPN configurations for banking clients, private service endpoints, IP whitelisting, and SIP trunk security for voice infrastructure.
• SIEM and monitoring manage and extend our Microsoft Sentinel deployment, create detection rules, set up alerting for security events, integrate log sources from both GCP and Azure environments.
• Vulnerability management coordinate biannual VAPT engagements, triage and track findings (we've dealt with SSRF, credential exposure, and similar issues), own the remediation pipeline, and verify fixes.
• Cost-aware security optimize security tooling and logging costs (we recently identified 77% potential savings from log retention adjustments you'd own decisions like these).

DevOps Collaboration (25%)

This is not a pure security role that writes reports from the sideline. You will work embedded with the DevOps/SRE team and occasionally take on infrastructure work.

• CI/CD pipeline security integrate SAST, SCA, container scanning into build pipelines. We use SonarQube for static analysis and need deeper integration.
• Infrastructure as Code review review Terraform/Helm configurations for security misconfigurations before they reach production.
• Incident response participate in on-call rotation for security incidents, conduct post-mortems, and update runbooks.
• DR and BCP help maintain and test disaster recovery procedures across our multi-region setup.
• Endpoint and access security manage MDM policies, SSO/MFA enforcement, and privileged access management for the engineering team