AI Security Engineer

🚀 We’re on a mission to make real estate transactions smarter, faster, and friction-free.

🏢 Real estate is the world’s largest asset class, yet the legal processes and tools behind it remain slow, manual, and underinvested. Lawyers must review dense documents line by line and piece together information across silos, all while clients demand faster, more transparent due diligence.

🤖 That's where we come in. Orbital Copilot is the AI assistant built exclusively for commercial real estate law. Developed with former practicing real estate lawyers, it accelerates complex due diligence by up to 70% while delivering legal-grade precision.

💰 We’ve just raised a $60m Series B to accelerate our UK/US expansion.

🤝 We're trusted by leading firms like Goodwin and BCLP to remove the busywork so legal teams can focus on what they do best: applying sharp legal judgment, delivering standout client service, and getting deals over the line faster.

💡 Working at Orbital means joining a team that's reimagining how real estate transactions get done - moving fast, working collaboratively, and giving people the ownership to make a real impact from day one.

THE ROLE

We are looking for a Security Engineer (Contract) to be the internal security lead on a greenfield product. You will have full access to source code, cloud infrastructure, and configurations - everything an external pen tester cannot see. Your job is to ensure that the product is enterprise-ready before a customer goes anywhere near it.

You will work alongside our Head of Product Engineering and the Product's hardening squad (platform engineers, a developer, and a QA engineer) and act as day-to-day counterpart to our external security and pen test partners.

WHAT YOU WILL OWN

• AWS security posture from the ground up - working within the AWS Well-Architected Framework to ensure the account structure, IAM, RBAC, and logging/monitoring are set up correctly
• SOC 2 Type II controls and evidence for Project 100X on AWS - ensuring the new platform meets the same compliance bar as our existing certified platform
• Application-level hardening - authentication (JumpCloud SSO/OIDC), API rate limiting, web security headers, CSRF, CORS, file-upload validation
• AI/agentic security - hardening a sandboxed agent environment including shell execution controls, SSRF/DNS rebinding prevention, prompt injection defences, and tool-use guardrails
• Penetration test management - working alongside our external pen test firm (first engagement scoped for early July), triaging findings, and closing them rapidly
• Continuous security validation - putting automated processes in place so that security posture does not erode after this engagement ends
• Data residency - ensuring US and UK data residency requirements are met from the start given our law firm customer base
• Vendor security due diligence - assessing third-party integrations including LLM API providers (OpenAI, Anthropic via AWS Bedrock)
• Security status reporting - concise updates to the Head of Product Engineering and wider leadership

WHAT WE ARE LOOKING FOR

Essential

• Deep, hands-on security engineering experience - not advisory; you build and implement controls
• Strong AWS security knowledge - IAM, account structure, Well-Architected Framework, CloudTrail, GuardDuty, Config, Security Hub
• SOC 2 Type II experience - you have driven controls, evidence collection, and audit preparation in a real engagement
• Application security - auth, RBAC, common web vulnerabilities, and the ability to implement fixes in code and config
• Experience managing external pen test engagements - scoping, triaging findings, and closing them
• Comfort working in a fast-moving, tight-timeline environment with minimal hand-holding

Highly Desirable

• AI/LLM security experience - agentic systems, prompt injection, SSRF in agent fetch tools, sandbox escaping, tool-use threat modelling
• Experience with high-bar compliance frameworks (FedRAMP, NIST) - SOC 2 will feel straightforward if you have done these
• Multi-tenant SaaS security
• Data residency / multi-region architecture across UK and US
• Experience securing LLM API integrations (OpenAI, Anthropic, AWS Bedrock)
• ISO 27001 - we are already certified; familiarity is useful

WHAT MAKES THIS ROLE DIFFERENT

AI security is not a future consideration here - it is the core challenge. The greenfield is an agentic product. The attack surface is fundamentally different to a traditional web application. The person who joins will be working at a genuine frontier: securing agentic AI systems handling sensitive legal data for enterprise clients. That is a very unusual brief, and a compelling one.

🔒 Security is everyone’s responsibility at Orbital. We ask all team members to follow our security policies, complete regular awareness training, and handle sensitive data with care in line with ISO 27001 standards. Spot something unusual? Reporting risks or incidents quickly helps us maintain the strong culture of security and compliance we all depend on.

💡 At Orbital, we’re committed to building a diverse and inclusive team. We especially welcome applications from people who are traditionally underrepresented in tech. Even if you don’t meet every single requirement, or if the right role isn’t listed yet, we’d still love to hear from you.

💰 This hiring range is a reasonable estimate of the base pay range for this position at the time of posting. Pay is based on several factors, which may include job-related knowledge, skills, experience, and business requirements.