Latacora bootstraps security teams for startups. We’re a place where you can work with startup technology but get real benefits and an environment that lets you do security R&D. We consciously also hire junior folks, and work towards being an antiracist and inclusive organization.

Roles We’re Hiring For Now

If you’re interested in any of these roles, e-mail us at careers@latacora.com.

You do not need to know all of the things listed in a job description! None of us do; we’re just throwing out topics to give you an idea of the projects you might be working on in that role. We also do plenty of research work: there’s absolutely no expectation that you’re already an expert across the board.

  • Secops: Someone who can be comfortable delivering security for infrastructure and cloud/container automation projects. Projects include cloud security audits, IAM least-privilege and lockdown automation, K8s, SSH CAs, monitoring and security logging, et cetera. You will write Clojure nearly exclusively in this role. (Don’t worry, we’ll teach you.)

  • Appsec: Someone who performs software security assessments, typically for web applications, but also iOS and Android mobile apps, cryptography engineering, reviewing protocols and feature designs. This person is comfortable making themselves familiar with codebases of varying sizes and developing a feel for where the squishy spots are.

  • Corpsec: Someone who takes responsibility for the first layer between our clients’ staff and the systems they operate with. That includes mobile device management, SSO systems, desktop software, vendor security (figuring out if a service is safe to use), GSuite applications, et cetera.

About Latacora

Latacora runs the security team for a bunch of startups. Want to hear more? Too bad! Here’s more!

We review and test the products startups ship. That means we get broad exposure. We’ve had clients with stacks including Python, Go, Ruby, Node, Java, and Clojure, running on every AWS and GCP service you can think of. We work directly with development teams, feature by feature, PR by PR. Like most security consultancies, we find bugs, but we also get a say in how they’re fixed, how development environments are hardened, and how features are designed

We continually monitor networks, cloud environments, containers, orchestration and infrastructure, and even endpoint fleets. We build software to do that, and build things on top of existing open source tooling. Our clients are mostly in AWS, and about a third are in GCP. We have a tiny bit of Azure, though usually those are our clients’ clients’ environments.

We vet the software our customers use, the services they integrate and how they integrate them, the way they deploy software, the way they manage devices and the ways they authenticate to internal tools and third parties.

If a security team at a startup is doing something for their company, chances are it’s a thing we work on as well. We’re happy to to answer any questions about the work you might have.

If you’ve ever been interested in doing security for a startup, we’re a chance to do that for a whole bunch of startups at the same time, working with a weird bunch of people who decided that this was all they wanted to do. If that sounds fun, let’s talk!

Some important details

We’re all over the US but our center of mass is the Chicago office. We’ll happily hire remote, but we meet up a few times a year (not right now due to COVID-19 of course), usually in Chicago.

We’re an actual company. We pay full-time salaries, and offer health benefits and paid vacation and have a 401(k) plan and all that jazz. We’re pretty proud of our benefits package and we’re happy to tell you all about it.

We’re a consultancy, but a weird kind of consultancy, where we maintain multi-year relationships with clients. We rarely travel.

Our security engineering roles are all client facing. We have different focuses; some of us specialize in cloud security, others in software security, others on cryptography, and others on policy stuff. We don’t have salespeople or a business team.

We write a ton of software and infrastructure as code. Most of what we write ourselves is in Clojure. Python is a close second. We get that Clojure is not a common language and we will absolutely train you up in it.

Writing is an important skill. Most of our communication with clients is via Slack (though we also get on video calls regularly). We write internal knowledge base articles, client-facing documents, and sometimes blog posts. Being able to express your thoughts in writing is important. We’ll coach you to develop that skill, and we’ve hired editors to help make your ideas have maximum impact.

How We Hire

Rather than your educational background, Github pages, Twitter profile, or your ability to write code on a whiteboard, we’re interested in your aptitude and enthusiasm for the problems we work on. The way we figure that out is with work sample tests.

We don’t care how many years of professional experience you have. We don’t care if you went to college or have a degree. That’s one of the reasons we love work sample tests: some of our best hires have resumes that wouldn’t get them past a phone screen at most shops. You don’t have to send us a resume, CV or a little statement about yourself, but we’ll check them out if you do: sometimes people have cool experience or background skills that we’ll never know about otherwise!

We’re not big believers in interviews. We’ll interview you, at the end of our process, but by the time we do we’ll be pretty sure we want to hire you.

We give our candidates a series of challenges, time-calibrated to take about the same amount of time as a reasonable startup interview loop. Our challenges are scored on a rubric. This means everyone passes the same bar for the same role, and the system is engineered to be as objective as possible. And we mean everyone: “known quantity” hires don’t get to bypass the test.

Our Process, Step By Step

  • We’re going to get on a call, and tell you anything you want to know about the company and our hiring process. You’ll get a name and a voice and contact information that you can use for the rest of our hiring process.
  • We’ll prep you for challenges. For instance: everyone (regardless of role) get a basic software security test. We’ll try our best to make sure you’re ready for it; there are books we like for boning up on this stuff, and we’re happy to send them. We don’t want to surprise you; we want to see you in the best possible light.
  • You’ll do challenges. On your couch, or in the park, or whatever. We’ve calibrated each challenge to take a certain amount of time; we did that to respect your time, not to make you work against a clock. If you want to noodle on a challenge for awhile, you can; we do our best to make sure you don’t have to do that to qualify.
  • We use the rubric to score your results. That tells us if there’s a good fit right now. We’ll ask you to come out and meet us in person; when we do that, you’ll know we’ve tech’ed you out and want to find a way to hire you, which we hope makes that last interview pretty laid back.
  • If all has gone well, we’ll get you an offer and figure out when you can start.

If you want to move quick, we can wrap this up inside of 2 weeks. If you want to take your time, you can do that too. We’re almost always hiring and don’t do ruthless recruiter things to speed candidates up or lock them in.