Latacora bootstraps security teams for startups. We’re a place where you can work with startup technology but get real benefits and an environment that lets you do security R&D. We consciously also hire junior folks, and work towards being an antiracist and inclusive organization.
If you’re interested in any of these roles, please fill out this form and e-mail us at email@example.com. You do not need to know all of the things listed in a job description! None of us do; we’re just throwing out topics to give you an idea of the projects you might be working on in that role. We also do plenty of research work: there’s absolutely no expectation that you’re already an expert across the board.
Latacora runs the security team for a bunch of startups. Want to hear more? Too bad! Here’s more!
We review and test the products that our clients’ ship. That means we get broad exposure. We’ve had clients with stacks including Python, Go, Ruby, Node, Java, and Clojure, running on every AWS and GCP service you can think of. We work directly with development teams, feature by feature, PR by PR. Like most security consultancies, we find bugs, but we also get a say in how they’re fixed, how development environments are hardened, and how features are designed.
We continually monitor networks, cloud environments, containers, orchestration and infrastructure, and even endpoint fleets. We build software to do that, and build things on top of existing open source tooling. Our clients are mostly in AWS, and about a third are in GCP. We have a tiny bit of Azure, though usually those are our clients’ clients’ environments.
We vet the software our customers use, the services they integrate and how they integrate them, the way they deploy software, the way they manage devices and the ways they authenticate to internal tools and third parties.
If you’ve ever been interested in doing security for a startup, you get to do this for a whole bunch of startups at the same time, working with a bunch of people who decided that this was all they wanted to do.
We’re good at bringing new folks into the industry and we have at the track record to back the statement up. If you’re already in security that’s great, but we’re also willing to work with skilled individuals from the non-security side (e.g. DevOps or IT) and train them in security.
We’re all over the US but our center of mass is the Chicago office. (It just worked out that way!) We’ll happily hire remote, but we try to meet up at least a couple times a year (not right now due to COVID-19 of course), usually in Chicago.
We were founded in 2017 and have grown to 30+ employees. We have competitive salaries, pay the employee (and family) premium for health care costs; generous vacation and leave policy that includes paid vacation days, company holidays, floating holidays, unlimited sick/personal days, paid parental leave (16 weeks!), paid medical leave (different than parental leave), paid military leave and have an awesome 401(k) where we match 1:1 up to the federal amount. For a 30 person company, we’re pretty proud of our benefits package and we are always trying to improve.
We’re a consultancy, but a weird kind of consultancy, where we maintain multi-year relationships with clients. We rarely travel.
Our security engineering roles are all client facing. We have different focuses; some of us specialize in cloud security, others in software security, others on cryptography, and others on policy stuff. We don’t have salespeople or a business team.
We write a ton of software and infrastructure as code. Most of what we write ourselves is in Clojure. Python is a close second. We get that Clojure is not a common language and we will absolutely train you up in it.
Writing is an important skill. Most of our communication with clients is via Slack (though we also get on video calls regularly). We write internal knowledge base articles, client-facing documents, and sometimes blog posts. Being able to express your thoughts in writing is important. We’ll coach you to develop that skill, and we’ve hired editors to help make your ideas have maximum impact.
We don’t focus on your educational background, GitHub pages, Twitter profile or your ability to write code on a whiteboard. What we are interested in is your aptitude and enthusiasm for problems we work on. We are still interested to have your resume on file because sometimes folks have cool experience or background skills we will never know otherwise. We don’t care how many years of professional experience you have. We don’t care if you went to college or have a degree. The way we figure out if you’re a good fit for Latacora is with a work sample test. Some of our best hires have resumes that wouldn’t get them a phone screen at other companies.
We’re not big believers in 4-8 hour structured technical interviews. Our main focus is on the work sample tests but we’ll still want to chat with you to demonstrate we’re both humans.
We give our candidates a series of challenges, time-calibrated to take about the same amount of time as a reasonable startup interview loop. Our challenges are scored on a rubric. This means everyone passes the same bar for the same role, and the system is engineered to be as objective as possible. And we mean everyone: “known quantity” hires don’t get to bypass the test.
We’re happy to answer questions or offer advice, you can’t waste our time!