Cybersecurity Engineer

About CrowdHealth

At CrowdHealth, we're creating something radically different, a new way to pay for healthcare that restores control to people. We are not an insurance company; we're a rapidly growing startup transforming the $4 trillion healthcare industry by removing middlemen and allowing members to work directly with their doctors. This role will enable you to make a significant impact within a focused, ambitious team.

The Role

We're seeking a Cybersecurity Engineer to own and advance CrowdHealth's information security and compliance programs, with a special focus on managing our third-party penetration test (pentest) program. You will oversee our compliance tools (such as Drata), conduct cloud and code security audits, coordinate and triage pentest findings with external vendors and internal teams, and drive remediation and retesting to resolution. You'll partner with engineering, DevOps, and leadership to strengthen our security posture while maintaining the fast pace of a startup.

What You'll Do

• Manage and maintain our compliance platform (Drata): ensure controls are met and audit evidence is current.
• Run the third-party pentest program: scope pentests, evaluate and select vendors, coordinate testing windows, receive and triage reports, track remediation, and coordinate retesting and executive reporting.
• Audit our cloud environment (AWS) and applications: identify misconfigurations, insecure defaults, and vulnerabilities.
• Perform and coordinate vulnerability management: run scans, validate results, prioritize issues, and work with teams to remediate.
• Review code and infrastructure as code (IaC): provide secure code and configuration reviews and partner with the debt/engineering teams to remediate findings.
• Draft, review, and approve cybersecurity policies: keep policies practical, enforceable, and aligned with compliance needs.
• Drive incident response readiness: help define and improve detection, reporting, and remediation workflows.
• Promote security awareness and enforcement: run training, roll out best practices, and help enforce access controls and data protection.
• Prepare reports for leadership and audits: translate technical findings into business-facing risk summaries and remediation plans.

Role Requirements

• 3-5+ years in information security, DevSecOps, or security/compliance roles.
• Demonstrated experience managing third-party penetration testing programs (scoping, vendor selection, triage, remediation tracking).
• Strong understanding of cloud security (AWS) IAM, networking, storage, logging/monitoring, and secure configuration.
• Familiarity with Drata or similar compliance platforms (Vanta, Secureframe).
• Hands-on experience with vulnerability scanning tools and interpreting pentest reports.
• Experience performing or coordinating code reviews and security reviews of IaC (Terraform, CloudFormation).
• Working knowledge of secure development, API security, and CI/CD pipeline hardening.
• Excellent communication able to turn technical risk into clear remediation plans for engineers and leadership.
• Understanding of compliance frameworks relevant to CrowdHealth (SOC 2, HIPAA, ISO 27001).

Bonus Points

• Experience in healthcare or other highly regulated environments.
• Certifications: OSCP, OSWE, CISSP, CISA, or AWS Security Specialty.
• Hands-on familiarity with Terraform, Kubernetes, or EKS security.
• Prior experience evaluating pentest vendors or in-house red team activity.
• Startup experience or comfort working in a fast-moving, lean organization.

How Well Measure Success (first 90-180 days)

• Compliance evidence coverage in Drata is up to date and audit-ready for core controls.
• At least one full pentest cycle completed (scoping, execution, triage, remediation, retest) with documented process and timelines.
• Identified and remediated key cloud misconfigurations and critical vulnerabilities.
• Practical policy updates drafted and communicated; engineers following updated secure-by-default practices.