Security Engineer

Phinomenon is built by browser and cloud veterans — our founders behind FydeOS (a Chromium-based OS trusted by millions) and QingCloud (one of China's earliest API-first IaaS platforms founded in 2012). Fresh off a healthy, eight‑figure Series A raise, we've got the cash runway one needs to dream big without panicking about next week's payroll. With folks working from San Francisco, London, Beijing, Shanghai and Shenzhen, we're proudly global and friendly to your time zone, with overlapping hours so we can all actually talk. We ship fast and ship hard — but burnout is so last decade, so we bake in wellness stipends, mandatory recharge days and flexible schedules, because great code comes from healthy lives. If you want to build the nextgen browser that actually, you know, gets you — while still enjoying your evenings and maintaining upright posture — welcome home.

As a Security Engineer at Phinomenon, you'll lead the charge on browser security: threat modeling, sandboxing, encryption, secure coding, incident response — the whole works. Your job is to ensure no hacker, malicious extension, or rogue network can compromise users' data or privacy as they interact with AI-powered features. You'll work closely with our C++, frontend, and cloud teams to build a defense-in-depth architecture that scales globally.

• Define and enforce browser security architecture, including sandboxing, site isolation, CSP, and secure IPC
• Threat model key components (rendering engine, extensions, AI integrations, network layers)
• Implement and maintain secure storage/encryption for user profiles and sensitive data
• Integrate security into the development lifecycle—conduct code reviews, static/dynamic analysis, security testing
• Monitor, detect, and respond to security incidents or suspicious behaviour across platforms
• Audit and harden dependencies, third-party libraries, browser extensions, and APIs
• Collaborate with C/C++, frontend, and backend teams to remediate vulnerabilities
• Build tooling and automation for penetration testing, fuzzing, and continuous security validation

• 4+ years in application or browser security engineering, systems security, or related fields
• Strong understanding of browser security features: sandbox, CSP, site isolation, extension security
• Experience threat modeling and implementing defense-in-depth architectures
• Proficient in secure coding practices (C/C++, Swift, JS), static analysis, and code review
• Hands-on experience with encryption, secure storage mechanisms, key management, TLS/PKI
• Skilled in dynamic testing: fuzzing, penetration tests, CI/CD security pipelines
• Incident response experience: triage, root cause, mitigation
• Excellent collaboration skills and comfort guiding developers toward secure implementations

• Experience working directly on Chromium or Blink/WebKit security layers
• Background in extension security or mitigating man-in-the-browser and extension threats
• Familiarity with browser profile security and privacy hardening
• Knowledge of networking and protocol security (TLS, DNS, QUIC)
• Certifications like OSCP, CISSP, or similar professional security credentials