Senior Security Analyst, Compliance

About OpenSesame

OpenSesame is the trusted partner for Workforce Reinvention in the age of AI. OpenSesame delivers integrated software, curated and customizable content, and expert services – embedded into existing learning, HR, and work systems – to help organizations expand their human+AI potential and thrive through change.

Learn more: www.opensesame.com/about

About the Role

As a Senior Security Analyst on our Compliance team, you will play a key role in strengthening OpenSesame ’s security posture in a fast-moving, high-growth environment. We’re looking for someone who brings deep technical security expertise, a proactive mindset, and the ability to turn complex risks into practical, scalable solutions.

This role spans vulnerability management, penetration testing, bug bounty operations, cloud and application security, and audit readiness. You’ll partner across Engineering, DevOps, IT, and Compliance to improve security processes, support compliance efforts, and help ensure security is built into how we work, especially as we continue evolving our approach to AI security. We’re looking for proven examples from your career that show you can do this job; that you’ve owned penetration testing programs, built vulnerability management systems, implemented security automation, and helped organizations adopt modern technologies (including AI) securely and responsibly.

You’ll be a strong fit if you’re detail-oriented, collaborative, and excited to build programs that reduce risk, improve visibility, and support safe innovation across the business.

Performance Objectives

Establish Security Ownership & Technical Depth (0–6 Months)

• Develop a comprehensive view of OpenSesame ’s external attack surface, vulnerabilities, and threat landscape — integrating signals from CrowdStrike, cloud environments (AWS, GCP), and application security tooling.
• Own external penetration testing engagements end-to-end — including vendor selection, scope design, execution oversight, remediation validation, and executive reporting.
• Build and operationalize a structured vulnerability management program — partnering with DevOps, Engineering, and IT to prioritize and remediate risk effectively.
• Stand up scalable evidence collection and control mapping workflows in Drata — improving audit readiness and reducing manual effort.
• Establish strong cross-functional relationships to embed security into engineering, infrastructure, and IT workflows from the outset.

Operationalize Continuous & AI-Aware Security (6–12 Months)

• Design and implement a continuous penetration testing program that complements annual third-party testing — leveraging automation, threat modeling, and targeted validation.
• Own and mature the bug bounty program — improving signal quality, triage processes, researcher engagement, and remediation w