RemNavi/Developer Jobs/Cybersecurity Engineering
Developer JobsBrowse all jobs

Remote Cybersecurity Engineer Jobs

Role: Cybersecurity Engineer · Category: Cybersecurity Engineering

Cybersecurity is split into enough specializations that "Security Engineer" could mean anything from code review to incident response to risk management. The only way to figure out what the job actually is, is to read past the title and understand what risk the company is trying to manage.

Three jobs are hiding in the same keyword

The same label covers three pretty different engineering paths.

Application security engineer. Focused on finding and fixing vulnerabilities in code and deployed applications — threat modeling, code review, static analysis, penetration testing, vulnerability management. Day to day: reviewing application code and architecture for security flaws, working with developers to fix issues, sometimes running security training. Needs strong development background, understands how systems fail, comfortable with the pace of development teams. Mid to senior usually.

Cloud and infrastructure security engineer. Guarding the infrastructure itself — cloud configuration, identity and access management, network security, secrets management, compliance controls at scale. Day to day: securing cloud resources, reviewing IAM policies, implementing detection controls, auditing infrastructure configurations. Needs deep cloud knowledge, systems thinking, and comfort with automation. Common at large companies and cloud-native companies.

Security operations and incident response engineer. First responder when things go wrong — monitoring security alerts, investigating incidents, containing threats, hunting for suspicious activity, writing runbooks. Day to day: alerts, escalations, postmortems, and being on-call for security events. Needs systems thinking and cool-headed investigation skills. High pressure, good pay, critical but sometimes thankless work.

Four employer types cover most of the market

Where security engineers work shapes what problems they actually solve.

Security-product companies. Companies whose product is security software — SentinelOne, Snyk, CrowdStrike, and others. Work here is deep and product-focused: engineers are often also users of their own product. Strong engineering culture, good pay, security is the core business so your work is valued. Highest bar for technical depth.

Fintech and regulated industries. Banks, payment processors, insurance companies, healthcare — compliance is a business requirement. Security work here is thorough, heavily audited, and sometimes slow. Regulations drive priorities. Usually well-paid and stable; engineering pace is more measured.

Cloud platform companies. AWS, Google Cloud, Azure — security is built into the platform itself. Engineers here work on the infrastructure that millions of companies rely on. High technical bar, high impact, sometimes abstract. Great for learning systems security at scale.

Enterprise security teams. Large organizations (Fortune 500 companies) building internal security infrastructure. Teams are bigger, processes are heavier, and the work is often about managing risk across a sprawling environment. Pay is good; bureaucracy can be frustrating. Less of the "hunt for vulnerabilities" and more "maintain controls at scale."

What the stack actually looks like

Security engineering touches so many tools that generalizing is hard. Most roles assume: strong understanding of security fundamentals (cryptography, authentication, authorization basics); comfort with at least one major cloud platform; knowledge of relevant threat models and attack vectors; logging and monitoring tools; and sometimes vulnerability scanning tools or SIEM platforms. Beyond that, it varies wildly. Application security engineers need code review skills and vulnerability analysis. Infrastructure engineers need cloud architecture knowledge. Incident response engineers need investigation tools and threat intelligence platforms. The listing should hint at which.

Six things worth checking before you apply

Security roles are especially easy to misjudge without these checks.

  1. Whether you'll be hunting vulnerabilities or managing security as a system. Some roles are "find and fix bugs." Others are "architect and implement controls." Both are valuable; they're different jobs. The listing will hint at this through language about vulnerability management and code review versus language about architecture, policy, and controls.

  2. How much on-call and incident response is actually involved. Some security teams have on-call rotations. Others focus on preventative work. Some balance both. If the listing doesn't mention on-call, ask. On-call for security can be high-stakes and disruptive.

  3. What "working with developers" actually means. Do you consult on architecture decisions? Do you review their code? Do you train them? Do you block their releases? The relationship between security and product teams varies wildly. Some are collaborative; some are adversarial. Read the language carefully.

  4. Whether compliance is a major part of the role. Some companies treat compliance (SOC 2, ISO 27001, HIPAA, PCI-DSS) as a security function. Others have separate compliance teams. If the listing emphasizes compliance heavily, know that a decent chunk of your time will be gathering evidence and documentation, not hunting vulnerabilities.

  5. How mature the security program actually is. New programs are in reactive firefighting mode. Mature programs are proactive and strategic. A startup building security from scratch is very different from a company with an established security function. The work in each is different enough to matter for your sanity.

  6. What kind of visibility and support you'll have. Some companies take security seriously and give engineers organizational weight. Others see security as a cost center or regulatory obligation. Language about security leadership, executive sponsorship, and engineering resources hints at this.

The bottleneck is different at every level

Junior security roles are rare because security usually requires systems thinking that doesn't come from bootcamps or entry-level positions. Most "junior" security roles actually want someone with 2–3 years of backend engineering or systems experience who's transitioning into security.

What moves the needle if you're coming from engineering is evidence of security thinking — a blog post about a vulnerability you found, contributions to security-focused open source, a detailed writeup of a threat model, or concrete experience finding and fixing security issues. It doesn't have to be at work; a detailed analysis of a public CVE or a thoughtful look at a product's security architecture shows you can think like a security engineer.

At mid and senior levels, the gap widens based on specialization. Application security engineers need deep code review skills and threat modeling ability. Infrastructure engineers need systems architecture thinking. Incident response engineers need investigation and lateral thinking skills. What separates mid from senior is the ability to influence strategy and make the hard tradeoffs between security and usability, between perfect and good-enough.

What the hiring process usually looks like

Security hiring varies by specialism but tends to be thorough. Expect 3–6 weeks: (1) application — CV, background in security or systems work, maybe a writeup of a security issue you've dealt with; (2) screen — 20–30 minute call to gauge technical depth and understand the role; (3) technical — often a scenario (how would you investigate this incident? design security controls for this system?) or sometimes code review of a deliberately vulnerable application; (4) deep-dive — architecture discussion, past incident walkthrough, or technical implementation details of something you've built; (5) offer — comp, on-call expectations, scope of role.

Red flags and green flags

Red flags — step carefully or pass:

  • "Security Engineer" title with a vague description that could mean anything — no clarity on what specific risks the role owns.
  • Heavy emphasis on compliance and audit work with no mention of actual security engineering or vulnerability work.
  • A listing that treats security as a gate or blocker on the development process with no collaborative language.
  • On-call expectations that are unclear or seem like you'll be the only person on-call during major incidents.
  • Salary bands missing or a range so wide it contains no information (like $80K–$250K).

Green flags — strong signal of a healthy team:

  • Clear description of what the security function actually does and where this role fits in.
  • Named security leader or CISO with visible public work — conference talks, blog posts, or publications.
  • Honest conversation about on-call, incident volume, and how security integrates with development.
  • A technical task that's actually about the company's real threat models and infrastructure, not generic security theory.
  • Evidence that security has executive sponsorship and meaningful budget.

Gateway to current listings

RemNavi doesn't post jobs. We pull them in from public sources and link straight through to the employer's own listing, so you always apply at the source.

Frequently asked questions

Do I need a security degree or certifications to get hired? No. Most good security engineers come from other engineering backgrounds — backend, infrastructure, systems. Certifications like OSCP, CEH, or CISSP can help, but a strong portfolio of security work (published research, bug bounty reputation, or real incident response experience) matters more than credentials.

How much coding do I need to know? Strong. Security engineering requires understanding how systems fail, and that requires knowing code deeply. You don't need to be a software engineer, but you need to understand architecture, common vulnerabilities, and how to read code critically. Most security roles assume solid engineering fundamentals.

Is bug bounty experience valuable? Very much so. If you've found vulnerabilities at scale and understand how disclosure works, that's compelling evidence of security thinking. Public writeups of interesting vulns or active bug bounty reputation is a strong signal for application security roles especially.

What's the difference between security engineer and security architect? Usually scope and seniority. Security engineers implement and maintain security controls. Security architects design the systems that manage risk. In practice, senior security engineers do a lot of architecture, and the titles are sometimes interchangeable. Read the job description.

RemNavi pulls listings from company career pages and a handful of remote job boards, then sends you straight to the employer to apply. We don't host the listings ourselves, and we don't stand between you and the hiring team.

Related resources

Get the free Remote Salary Guide 2026

See what your salary actually buys in 24 cities worldwide. PPP-adjusted comparisons, role salary bands, and negotiation advice. Enter your email and the PDF downloads instantly.

Ready to find your next remote cybersecurity engineering role?

RemNavi aggregates remote jobs from dozens of platforms. Search, filter, and apply at the source.

Browse all remote jobs