What Security Engineers Actually Do
What They Build
Chaos Engineering
Automated resilience testing with Chaos Monkey and fault injection.
Backstage
Developer portal for service discovery and infrastructure management.
SRE Platform
Site reliability tooling with SLOs, error budgets, and incident management.
Actions CI/CD
Scalable workflow automation running millions of jobs daily.
The role varies, but typically includes:
Application Security (30-40%)
- Security reviews - Code reviews, architecture reviews, threat modeling
- Vulnerability assessment - Finding and fixing security vulnerabilities
- Secure coding practices - Training developers, creating security guidelines
- Security testing - SAST, DAST, penetration testing, bug bounties
Infrastructure Security (20-30%)
- Cloud security - Securing cloud infrastructure (AWS, GCP, Azure)
- Network security - Firewalls, VPNs, network segmentation
- Identity and access management - Authentication, authorization, secrets management
- Compliance - SOC 2, ISO 27001, GDPR, HIPAA
Security Tooling (20-30%)
- Building security tools - Creating tools for developers and security teams
- Automation - Automating security checks, vulnerability scanning
- SIEM and monitoring - Security information and event management
- Incident response tooling - Building tools for security operations
Security Operations (10-20%)
- Incident response - Responding to security incidents
- Threat detection - Monitoring for security threats
- Forensics - Investigating security incidents
- Vulnerability management - Tracking and remediating vulnerabilities
Security Engineer Archetypes: Know What You Need
Application Security Engineer
- Focuses on secure software development
- Code reviews, threat modeling, secure coding
- Common at companies building software products
- Risk: May lack infrastructure security expertise
Infrastructure Security Engineer
- Focuses on cloud and infrastructure security
- Cloud security, network security, IAM
- Common at companies with complex infrastructure
- Risk: May lack application security depth
Security Tooling Engineer
- Builds security tools and automation
- Creates tools for developers and security teams
- Common at larger companies
- Risk: May lose touch with security operations
DevSecOps Engineer
- Integrates security into DevOps processes
- Security automation, CI/CD security, shift-left security
- Common at companies with mature DevOps practices
- Risk: May lack deep security expertise
Be explicit about which type you need.
Interview Focus Areas
Security Fundamentals
- Understanding of common vulnerabilities (OWASP Top 10)
- Threat modeling and risk assessment
- Security architecture and design
- Cryptography basics
Application Security
- Secure coding practices
- Code review for security issues
- Vulnerability assessment and remediation
- Security testing (SAST, DAST, penetration testing)
Infrastructure Security
- Cloud security (AWS, GCP, Azure)
- Network security and segmentation
- Identity and access management
- Secrets management
Security Engineering
- Can they write code?
- Building security tools and automation
- Integrating security into development workflows
- Balancing security with developer productivity
Common Hiring Mistakes
1. Hiring Security Experts Who Can't Code
Security Engineers need to write code—security tools, automation, and sometimes production code. Don't hire security analysts who can't code.
2. Treating Security Engineers as "Security Police"
Security Engineers should enable teams to build securely, not just say "no." Look for candidates who partner with developers, not block them.
3. Not Testing Security Thinking
"Tell me about OWASP Top 10" tests knowledge. "How would you secure this system?" tests thinking. Focus on security engineering, not just security knowledge.
4. Ignoring Developer Experience
The best Security Engineers understand developer workflows and integrate security seamlessly. Security that slows down development gets bypassed.
Red Flags
- Only talks about blocking things - Security Engineers should enable secure development
- Can't write code - Security Engineers need software engineering skills
- No experience with modern development - Should understand CI/CD, cloud, containers
- Adversarial relationship with developers - Good Security Engineers partner with developers
- Only knows compliance - Compliance is important but not the only focus
- Hasn't built security tools - Security Engineers should automate security
- Doesn't ask about security culture - Shows lack of understanding of security engineering
What Makes Security Engineers Different from Other Roles
Understanding the distinction helps you hire the right person:
Security Engineer vs. Security Analyst
Security Analysts monitor systems for threats, respond to alerts, and investigate incidents. Security Engineers build security into systems, write security tools, and prevent vulnerabilities through automation. Engineers are proactive builders; analysts are reactive responders.
Security Engineer vs. Penetration Tester
Penetration testers (ethical hackers) focus on finding vulnerabilities through active testing. Security Engineers have broader scope: building security tooling, integrating security into CI/CD, training developers, and improving security posture. Some overlap exists, but Security Engineers spend more time building than breaking.
Security Engineer vs. Compliance Specialist
Compliance specialists focus on regulatory requirements (SOC 2, HIPAA, GDPR). Security Engineers focus on technical security controls and implementation. Compliance knowledge is helpful but shouldn't be the primary focus—great Security Engineers understand both.