Project Brief
We're building out a Model Context Protocol (MCP) infrastructure for a mid-market US software company moving fast into agentic AI. As that system grows — more tools, more agents, more external integrations — the attack surface grows with it. This is a net-new security function: no incumbent, no security team to lean on. You'll own it.
Your primary focus is MCP security: JWT-based authentication, secrets management, prompt injection defense, and tool-use guardrails as the agentic layer expands. Your secondary focus is the broader application security backlog that the client's IT team and senior developers currently absorb ad hoc. You're not working one problem. You're working two, and you'll need to prioritize between them daily.
This isn't an advisory role. You'll be hands-on keyboard, working directly with the client's technical lead and engineering team to make sure the agentic infrastructure is secure from the inside out.
Must-Haves
- Hands-on application security engineering experience — not consulting or auditing only. You identify vulnerabilities, write fixes, run tools, and own the remediation yourself
- JWT token validation and API key management in production — scoped access patterns, token lifecycle, revocation logic
- Authentication and authorization design: OAuth 2.0, API key management, scoped access patterns in production systems
- Secrets management in cloud environments: AWS Secrets Manager, Vault, or equivalent — not just knowing they exist, but owning the implementation
- Experience identifying and mitigating prompt injection, tool misuse, and trust boundary issues in AI/LLM systems — or a strong OWASP Top 10 foundation with demonstrated ability to apply it to new attack surfaces
- Comfortable working as the sole security voice on a team — able to raise concerns diplomatically, hold the line technically, and prioritize a backlog without a security manager above you
- Near-native English — daily async communication with a US-based client team and technical lead
Nice to Have
- WAF and API Gateway configuration experience — both are in the current infrastructure
- Prior exposure to MCP protocol, agentic systems, or LLM-integrated application security
- Experience with security audits on cloud-native infrastructure: AWS IAM, VPC, Security Groups, CloudTrail, GuardDuty
- SAST/DAST tooling: Semgrep, Snyk, Burp Suite, or equivalent
- DevSecOps experience: embedding security gates into CI/CD pipelines
- Relevant certifications: CEH, OSCP, AWS Security Specialty, or equivalent (not required, but a signal)
What You Will Do
- Own the security posture of the MCP infrastructure: define and implement JWT-based authentication, manage secrets, and establish controls for tool-use and agent interactions
- Identify and remediate prompt injection risks, unauthorized tool invocations, and privilege escalation vectors in the agentic layer
- Review and harden AWS infrastructure configurations: IAM policies, VPC rules, secrets exposure, logging and alerting
- Work through the client's existing application security backlog — issues currently handled ad hoc by IT and senior devs that need a permanent, focused owner
- Partner with the engineering team to review new integrations and MCP components before they ship, and establish a repeatable pre-ship security review process
- Document security controls, threat models, and remediation history so the client team can operate independently over time
Why This Could Be Your Next Big Move
- Build security into something genuinely new — MCP-based agentic systems are early enough that most security playbooks don't fully apply yet. You'll be figuring out the right approach in production, not implementing someone else's checklist.
- Direct access, real ownership — Small team. Your decisions matter immediately and are visible to the client's technical lead and the US team daily.
- ️ Two problems, one role — Between securing the MCP build-out and clearing the existing security backlog, you won't be watching dashboards. There's real work in both directions from day one.
- Agentic AI security is the frontier — Production experience securing LLM-based infrastructure is rare. You'll have it before most security engineers have even thought about it.
Benefits & Compensation
- $4000 - $5500/month — paid in USD, bi-weekly via Deel
- US Eastern Time hours (EST) — Monday to Friday, 9:00 AM–6:00 PM EST
- Fully Remote — work from anywhere in Latin America
- Long-term contract — starting with a 6-month contract, with potential to extend
- ️ Paid PTO — accrual begins after 3-month trial period
- Referral Program — earn a bonus for referring talent that gets hired
To Apply
Please send your resume in English.
Include the following depending on your role:
- LinkedIn Profile URL (required)
- GitHub repository, security project, or CTF writeups (optional but encouraged)
- ✉️ Cover Letter — tell us about a security vulnerability you found and fixed in a production system, and how you approached it without blocking the team's velocity (optional but encouraged)
About OneSeven Tech
OneSeven Tech is an AI-enabled software agency headquartered in Miami, with 9 years building AI-driven digital products for scaling and established companies. We specialize in consulting, designing, and developing ROI-focused solutions across 22 industries — from healthcare and legal to real estate and fintech.
Our multidisciplinary team blends AI strategy, UX/UI, web and mobile engineering, and machine learning to deliver real outcomes. With 101+ successful projects completed and a 4.9/5 client rating, we work as a deeply embedded partner — not just a vendor. We operate as a remote-first organization with a global team and a US-based client portfolio.
