Latacora bootstraps security teams for startups. We’re a place where you can work with startup technology but get real benefits and an environment that lets you do security R&D. We consciously also hire junior folks, and work towards being an antiracist and inclusive organization.
If you’re interested in any of these roles, e-mail us at email@example.com.
You do not need to know all of the things listed in a job description! None of us do; we’re just throwing out topics to give you an idea of the projects you might be working on in that role. We also do plenty of research work: there’s absolutely no expectation that you’re already an expert across the board.
Secops: Someone who can be comfortable delivering security for infrastructure and cloud/container automation projects. Projects include cloud security audits, IAM least-privilege and lockdown automation, K8s, SSH CAs, monitoring and security logging, et cetera. You will write Clojure nearly exclusively in this role. (Don’t worry, we’ll teach you.)
Appsec: Someone who performs software security assessments, typically for web applications, but also iOS and Android mobile apps, cryptography engineering, reviewing protocols and feature designs. This person is comfortable making themselves familiar with codebases of varying sizes and developing a feel for where the squishy spots are.
Corpsec: Someone who takes responsibility for the first layer between our clients’ staff and the systems they operate with. That includes mobile device management, SSO systems, desktop software, vendor security (figuring out if a service is safe to use), GSuite applications, et cetera.
Latacora runs the security team for a bunch of startups. Want to hear more? Too bad! Here’s more!
We review and test the products startups ship. That means we get broad exposure. We’ve had clients with stacks including Python, Go, Ruby, Node, Java, and Clojure, running on every AWS and GCP service you can think of. We work directly with development teams, feature by feature, PR by PR. Like most security consultancies, we find bugs, but we also get a say in how they’re fixed, how development environments are hardened, and how features are designed
We continually monitor networks, cloud environments, containers, orchestration and infrastructure, and even endpoint fleets. We build software to do that, and build things on top of existing open source tooling. Our clients are mostly in AWS, and about a third are in GCP. We have a tiny bit of Azure, though usually those are our clients’ clients’ environments.
We vet the software our customers use, the services they integrate and how they integrate them, the way they deploy software, the way they manage devices and the ways they authenticate to internal tools and third parties.
If a security team at a startup is doing something for their company, chances are it’s a thing we work on as well. We’re happy to to answer any questions about the work you might have.
If you’ve ever been interested in doing security for a startup, we’re a chance to do that for a whole bunch of startups at the same time, working with a weird bunch of people who decided that this was all they wanted to do. If that sounds fun, let’s talk!
We’re all over the US but our center of mass is the Chicago office. We’ll happily hire remote, but we meet up a few times a year (not right now due to COVID-19 of course), usually in Chicago.
We’re an actual company. We pay full-time salaries, and offer health benefits and paid vacation and have a 401(k) plan and all that jazz. We’re pretty proud of our benefits package and we’re happy to tell you all about it.
We’re a consultancy, but a weird kind of consultancy, where we maintain multi-year relationships with clients. We rarely travel.
Our security engineering roles are all client facing. We have different focuses; some of us specialize in cloud security, others in software security, others on cryptography, and others on policy stuff. We don’t have salespeople or a business team.
We write a ton of software and infrastructure as code. Most of what we write ourselves is in Clojure. Python is a close second. We get that Clojure is not a common language and we will absolutely train you up in it.
Writing is an important skill. Most of our communication with clients is via Slack (though we also get on video calls regularly). We write internal knowledge base articles, client-facing documents, and sometimes blog posts. Being able to express your thoughts in writing is important. We’ll coach you to develop that skill, and we’ve hired editors to help make your ideas have maximum impact.
Rather than your educational background, Github pages, Twitter profile, or your ability to write code on a whiteboard, we’re interested in your aptitude and enthusiasm for the problems we work on. The way we figure that out is with work sample tests.
We don’t care how many years of professional experience you have. We don’t care if you went to college or have a degree. That’s one of the reasons we love work sample tests: some of our best hires have resumes that wouldn’t get them past a phone screen at most shops. You don’t have to send us a resume, CV or a little statement about yourself, but we’ll check them out if you do: sometimes people have cool experience or background skills that we’ll never know about otherwise!
We’re not big believers in interviews. We’ll interview you, at the end of our process, but by the time we do we’ll be pretty sure we want to hire you.
We give our candidates a series of challenges, time-calibrated to take about the same amount of time as a reasonable startup interview loop. Our challenges are scored on a rubric. This means everyone passes the same bar for the same role, and the system is engineered to be as objective as possible. And we mean everyone: “known quantity” hires don’t get to bypass the test.
If you want to move quick, we can wrap this up inside of 2 weeks. If you want to take your time, you can do that too. We’re almost always hiring and don’t do ruthless recruiter things to speed candidates up or lock them in.