AI Security Engineer

We’re on a mission to make real estate transactions smarter, faster, and friction-free. Real estate is the world’s largest asset class, yet the legal processes and tools behind it remain slow, manual, and underinvested. Lawyers must review dense documents line by line and piece together information across silos, all while clients demand faster, more transparent due diligence. That’s where we come in. Orbital Copilot is the AI assistant built exclusively for commercial real estate law. Developed with former practicing real estate lawyers, it accelerates complex due diligence by up to 70% while delivering legal-grade precision. We’ve just raised a $60m Series B to accelerate our UK/US expansion. We’re trusted by leading firms like Goodwin and BCLP to remove the busywork so legal teams can focus on what they do best: applying sharp legal judgment, delivering standout client service, and getting deals over the line faster.

Working at Orbital means joining a team that’s reimagining how real estate transactions get done – moving fast, working collaboratively, and giving people the ownership to make a real impact from day one.

The role

We are looking for a Security Engineer (Contract) to be the internal security lead on our Greenfield Product. You will have full access to source code, cloud infrastructure, and configurations, everything an external pen tester cannot see. Your job is to ensure the product is enterprise-ready before a customer goes anywhere near it. You will work alongside the Greenfield Product hardening squad: head of engineering, platform engineers, a developer, and a QA engineer. You will also act as day‑to‑day counterpart to our external security and pen test partners. This is a hands‑on engineering role, not an advisory one. You will be building and implementing controls, not writing recommendations for someone else to action.

What this role is not

We are not looking for a consultant who produces reports and hands them to an engineering team. We are not looking for someone whose SOC 2 experience is limited to policy writing or questionnaire completion. And we are not looking for someone who needs close direction or a large security team around them to operate. The right person has done this before, moves quickly, and can own the security posture of a greenfield AWS product independently.

What you will own

• AWS security posture from the ground up: account structure, IAM, RBAC, logging, and monitoring within the AWS Well-Architected Framework.
• SOC 2 Type II controls and evidence for the Greenfield Product on AWS, ensuring the new platform meets the same compliance bar as our existing certified platform.
• Application-level hardening: authentication (JumpCloud SSO/OIDC), API rate limiting, web security headers, CSRF, CORS, and file-upload validation.
• AI and agentic security: hardening a sandboxed agent environment including shell execution controls, SSRF/DNS rebinding prevention, prompt injection defences, and tool‑use guardrails.
• Penetration test management: working alongside our external pen test firm, triaging findings, and closing them rapidly.
• Continuous security validation: putting automated processes in place so that security posture does not erode after this engagement ends.
• Data residency: ensuring US and UK data residency requirements are met from the start given our law firm customer base.
• Vendor security due diligence: assessing third‑party integrations including LLM API providers (OpenAI, Anthropic via AWS Bedrock).
• Security status reporting: concise updates to Graham and wider leadership.

You should apply if

• You have deep, hands‑on security engineering experience: you build and implement controls, you do not just advise.
• You have strong AWS security knowledge: IAM, account structure, Well-Architected Framework, CloudTrail, GuardDuty, Config, and Security Hub.
• You have driven a real SOC 2 Type II engagement: controls, evidence collection, and audit preparation, not just policy documentation.
• You have application security experience: auth, RBAC, common web vulnerabilities, and the ability to implement fixes directly in code and config.
• You have managed external pen test engagements: scoping, triaging findings, and closing them.
• You are comfortable working at pace with minimal hand‑holding in a small, senior team.
• You are available immediately or within days, not weeks.

It would also be great if you have

• AI and LLM security experience: agentic systems, prompt injection, SSRF in agent fetch tools, sandbox escaping, and tool‑use threat modelling.
• Experience with high‑bar compliance frameworks (FedRAMP, NIST): SOC 2 will feel straightforward if you have done these.
• Multi‑tenant SaaS security experience.
• Data residency and multi‑region architecture experience across UK and US.
• Experience securing LLM API integrations (OpenAI, Anthropic, AWS Bedrock).
• ISO 27001 familiarity: we are already certified.

Security is everyone’s responsibility at Orbital. We ask all team members to follow our security policies, complete regular awareness training, and handle sensitive data with care in line with ISO 27001 standards. Spot something unusual? Reporting risks or incidents quickly helps us maintain the strong culture of security and compliance we all depend on.

At Orbital, we’re committed to building a diverse and inclusive team. We especially welcome applications from people who are traditionally underrepresented in tech. Even if you don’t meet every single requirement, or if the right role isn’t listed yet, we’d still love to hear from you.

This hiring range is a reasonable estimate of the base pay range for this position at the time of posting. Pay is based on several factors, which may include job‑related knowledge, skills, experience, and business requirements.