About the Role

This is a hands-on engineering role focused on cloud security, in-app cryptography, dependency hygiene, anti-abuse, observability, and AI-assisted detection. You will work closely with product and foundation engineering teams to proactively detect and reduce risk before users feel it.

This role is globally remote, async by default, and built for engineers who take ownership of security and incident response.

What You'll Do

• Harden our AWS footprint: IAM policy design, network segmentation, secrets handling, KMS-backed access, and workload isolation

• Lock down our Cloudflare edge: WAF rules, bot management, rate limits, DDoS posture, Zero Trust access, and DNS hygiene

• Secure our Vercel surface: project and team permissions, environment variable handling, deployment protection, and preview-URL exposure

• Plan, build, and maintain in-app encryption primitives across at-rest, in-transit, field-level, and token-level surfaces

• Own the key lifecycle end-to-end: generation, storage, rotation, revocation, and audit. Make rotation a boring, scheduled event, not a quarterly fire drill

• Drive dependency hygiene end-to-end: SCA tooling, advisory triage, and pushing fixes through to merged-and-deployed, not just "ticket filed"

• Define and enforce patch SLAs for critical, high, and medium-severity findings, and keep the queue from going stale

• Own the throughput of our security scanning programs and the dashboards that report on them

• When a class of findings keeps recurring, fix the upstream cause (a lint rule, a default, a library, a code review checklist), not just the individual instance

• Improve the controls that reduce and prevent scam usage of Cal.com: fraudulent signups, abuse of bookings, payment fraud patterns, phishing-via-event-types, and spam at our edges

• Partner with product and trust & safety to translate observed abuse patterns into shipped, measurable defenses (rate limits, heuristics, signals, frictions)

• Drive a step-change in our security observability so on-call engineers get the data they need within seconds, not hours

• Integrate AI into our abuse and security pipeline to flag, classify, and block malicious users faster than humans can

• Prototype, evaluate, and ship LLM-backed classifiers for signup fraud, content abuse, suspicious access patterns, and policy violation triage

• Build the guardrails (evals, false-positive review loops, override paths) so "AI blocked this user" is a decision we can defend

• Mentor other engineers on secure coding and be a primary point of contact during incidents in your area

What We're Looking For

• Top-tier TypeScript and a deep understanding of how a modern Node.js / Next.js / Prisma stack runs in production

• Strong hands-on AWS expertise: IAM, KMS, VPC, networking, logging, and the common managed services we lean on

• Production experience securing infrastructure on Cloudflare and Vercel

• Practical, applied cryptography: symmetric/asymmetric primitives, envelope encryption, key rotation patterns, JWT and session security, and secrets management

• Track record running and improving security scanning programs across dependency, code, secret, IaC, and container surfaces

• Hands-on experience with abuse and fraud detection on a consumer or SaaS platform

• Experience integrating AI or LLMs into security or trust & safety workflows, with the evals to prove they are working

• Strong knowledge of common web application attack classes (the OWASP greatest hits, plus business-logic abuse and account takeover) and the controls that stop them

• Clear written communication and calm incident communication

• High autonomy mindset and comfort working in a remote, async-first environment

Must Have

• Several years shipping security work inside a TypeScript or Node codebase

• Real AWS hardening experience in production, not just on paper

• Experience designing or rebuilding a key rotation system that actually rotates on schedule

• A scam or abuse pattern you instrumented, defended against, and measurably reduced

• Comfort being on call and leading incident response in your area

• Ability to work in a globally distributed team

Big Plus

• Strong Terraform experience: writing, reviewing, and modularizing IaC for production cloud accounts, with a security lens (least-privilege roles, drift detection, state management, policy-as-code)

Who You Are

• You see security as enablement, not gatekeeping

• You genuinely enjoy abuse and trust & safety problems and like getting your hands dirty

• You take ownership of the systems you touch and are comfortable participating in on-call and incident response

• You are friendly, collaborative, and easy to work with across teams

• You thrive in a globally distributed team and respect different cultures and working styles

• You are highly curious and continuously learn new attack patterns, tooling, and architectural patterns

• You stay calm under pressure and write the postmortem you'd want to read

Tech Stack

• Next.js on Vercel

• NestJS on Vercel

• PostgreSQL with Prisma

• Cloudflare (CDN, WAF, Zero Trust, DNS)

• AWS (IAM, KMS, networking, logs)

• Grafana, Axiom, Sentry, Checkly

✨ Why Work at Cal.com?

We're building Cal.com not just as a product, but as a place to do great work and live a good life.

• 🌐 Work from anywhere, anytime, fully remote & async

• 💸 Earn the same salary no matter where you live

• 📅 No standups, no micromanagement, no unnecessary calls

• 🪩 Real flexibility, take time for life stuff, no approval needed

• 💻 Work in your own flow, pajamas welcome

• 🧘 30 paid OOO days per year (wherever you are in the world)

• ✈️ Yearly team retreats in beautiful locations

• 🏡 People-first culture, stable, family-friendly, kind