TracPlus provides mission-critical tracking, analytics, and operational intelligence for aerial firefighting, emergency response, utilities, law enforcement, and specialist aviation operators globally. Our technology is essential for managing some of the most complex, high-risk operations where safety, accountability, and performance are paramount.

TracPlus develops telemetry and data solutions that enhance the safety and efficiency of wildfire-fighting organizations. As the only commercial provider of integrated aircraft tracking solutions for wildfires, TracPlus integrates multiple data streams and asset types into a unified view for mission-critical operations. Using a powerful, cloud-based platform, TracPlus enables customers to track, manage, and communicate with land, maritime, and aviation assets to ensure safety, optimal resource use, and coordination. Trusted by first responders, government agencies, and militaries worldwide, TracPlus has been a key player in major global disaster responses over the past five years.

We're looking for a Security Engineer to own security across our platform—ensuring that what we build is secure by design, our pipelines are defended at every stage, and our engineers have the knowledge and tooling to build safely.

About the Role

Based in our Auckland CBD office, you'll take primary ownership of platform security—securing what we build, how we build it, and the infrastructure it runs on. You'll also play a supporting advisory role in operational security across the wider business.

This is not a governance or compliance role. It requires a technically strong engineer who has built genuine security expertise: someone who can read code, write automation, engage in architecture discussions, and track an evolving threat landscape—including how AI is reshaping the risk environment. Security is foundational to what we're building, and you'll be the person who makes sure it stays that way.

What You'll Do

Define and embed security requirements at the start of delivery work—in sprint planning, design documents, and acceptance criteria—not at the end. Participate in architecture reviews and threat modelling sessions, applying structured approaches such as STRIDE to surface risks early. Conduct security reviews across backend services (C#/.NET), frontend (React/TypeScript), APIs, and data pipelines. Maintain and improve security tooling across our GitHub Actions pipeline: SAST, SCA, secrets detection, container scanning, and DAST. Apply GCP security controls across the platform: IAM, VPC configuration, Security Command Center, logging, and KMS. Own the vulnerability management process—triage findings, prioritise by risk, and drive remediation to closure with engineering teams. Assess AI-specific security risks including prompt injection, adversarial inputs, and vulnerabilities introduced through AI-assisted development. Monitor security alerts, participate in incident response, and contribute to post-mortems and remediation. Own platform-side compliance delivery for ISO 27001 and SOC 2-gap analysis, technical controls, evidence gathering, and audit readiness. Advise and facilitate the wider business on operational security requirements, helping others execute what needs to be in place.

What Success Looks Like

• Security is designed in from the start—requirements are clear before work begins and automated defences run at every stage of the pipeline.
• Vulnerabilities are triaged, prioritised, and remediated at a pace that reflects actual risk. Engineers trust you as a resource, not a blocker—and build more securely as a result.
• Platform compliance obligations for ISO 27001 and SOC 2 are met as a natural output of doing the work well.
• The security programme matures alongside the platform, and your scope and influence grows with it.

What You Bring

• 3–4+ years of dedicated security experience, with a background in software engineering, DevOps, or infrastructure.
• Ability to read and write code—scripting (Python, Bash, or Go) is essential; familiarity with application code (C# or equivalent) is a strong advantage.
• Solid understanding of application security fundamentals: OWASP Top 10, common vulnerability classes, and secure development lifecycle practices.
• Hands-on experience with cloud security (GCP, AWS, or Azure): IAM, network security, logging, and key management.
• Practical experience with security tooling in CI/CD pipelines and working knowledge of Kubernetes and container security.
• Awareness of AI security risks and the implications of AI-assisted software development. Exposure to ISO 27001, SOC 2, or similar compliance frameworks.
• Strong communication skills—able to make security findings clear to developers and non-technical stakeholders alike.

Preferred Qualifications

• Certification or Equivalent Knowledge: Security+, AWS/GCP Security, or OSCP certifications (or equivalent hands-on experience).
• Audit & Compliance Support: Experience contributing to the technical controls needed for ISO 27001 or SOC 2 programs.
• Modern DevSecOps Tooling: Exposure to Pulumi (or similar IaC frameworks) and policy-as-code concepts (like OPA/Rego).
• Practical Defense or Research: Experience with SIEM/detection engineering, or an active interest in personal security research (CTFs, bug bounties).
• Supply Chain Security: Familiarity with software supply chain security practices, including SBOM generation.
• Regulated Industries: Background working within safety-critical, regulated, or government-facing tech environments.

Why Join TracPlus?

• Meaningful work securing systems that are active during real emergencies. The stakes are not theoretical.
• A global business operating in mission-critical, high-impact environments.
• A small, high-performing team where your contribution is visible and valued.
• Clear domain ownership with support and strategic direction from the CTO and Engineering Manager.
• A role with genuine growth potential as the security programme matures.

Apply now and be part of a mission that matters.