The Role

The Senior Software Engineer - Browser Extensions will own the architecture and implementation of Securly's onboard filtering engine — building a local policy cache and real-time filtering decision engine inside the Chrome extension that moves filtering decisions on-device, improving speed, reliability, and bypass resistance for millions of students on Chromebooks.

You will design and build the system that eliminates the cloud round-trip for 80% of filtering decisions: a local policy cache with delta sync, a filtering decision engine running inside the MV3 service worker, and the bypass prevention layer that ensures the security model is not exploitable.

At L5, this role carries additional strategic weight. Google's Filter and Monitor platform shift is moving ChromeOS toward native Content Filtering APIs and away from browser extensions as the primary enforcement point. You will track this transition, evaluate its implications for Securly's extension strategy, and surface architectural recommendations — not just implement the current plan.

What You'll Do

• Own the architecture of the onboard filtering engine: local policy cache, delta sync protocol, filtering decision engine, and bypass prevention layer.
• Architect and implement the local policy cache: delta sync protocol, TTL management, cache invalidation logic, and graceful cloud fallback.
• Build the onboard filtering decision engine in the MV3 service worker: domain matching, URL categorization, iframe detection using DOM context, and allow/block decisions.
• Implement and harden bypass prevention: same-origin policy, CSP, CORS, iframe sandboxing, content script/page context boundaries, and timing-based attack vectors.
• Track Google's Filter and Monitor platform evolution (ChromeOS Content Filtering APIs); write architectural memos evaluating implications for Securly's extension strategy.
• Lead the transition and implementation of new filtering features using TypeScript and modern JavaScript within the MV3 framework.
• Optimize extension performance to add negligible latency on consumer-grade student Chromebook hardware; define and enforce performance budgets.
• Mentor Ashish M (L4) and new extension hires: substantive code reviews, pair on security model design, drive team understanding of bypass threat vectors.
• Manage chrome.storage.local within platform limits; evaluate IndexedDB for policy cache requirements that exceed those limits.

Skills & Requirements

Who You Are

• You know how browsers actually work — not just the APIs, but the security model, the process model, and the specific ways students try to break it.
• You have shipped production Chrome extensions at scale and know what service worker memory management means on a 4GB Chromebook.
• You track platform shifts (Google F&M, ChromeOS Content Filtering API) and understand what they mean for your system's architecture.
• You produce written artifacts (ADRs, threat models, platform memos) that document your reasoning for the team and for leadership.
• You write TypeScript that other senior engineers learn from, and your code reviews raise the floor for the engineers around you.

What It Means to Be L5 at Securly

L5 at Securly is a Staff Engineer. You are the technical owner, not just an implementer.

• Drive technical direction for your initiative end-to-end: from architecture to production, with minimal oversight from your engineering manager.
• Identify and resolve ambiguity in requirements, system boundaries, and design tradeoffs without waiting for a fully-formed spec.
• Mentor L3/L4 engineers on the team: code reviews, design feedback, pairing, and raising the bar for what production-quality work looks like.
• Partner with your L6 technical lead and the Distinguished Engineer on architectural decisions, surfacing tradeoffs clearly rather than deferring them upward.
• Contribute to cross-team engineering standards: you are expected to influence practices beyond your immediate squad.
• Translate technical context into clear written artifacts that non-engineers (PM, Support, Leadership) can act on.
• Participate in on-call rotation and own the full incident lifecycle for your system: detection, diagnosis, resolution, and retrospective.

About Securly

Benefits

The Role

The Senior SDET - Browser & Extension Testing will own test strategy, quality architecture, and the automated regression infrastructure for Securly's onboard filtering project — building the test systems that ensure a safety-critical Chrome extension works correctly for millions of students and keeps working through every browser update and policy change.

The onboard filtering project is a high-risk architecture change to a widely-deployed extension. A regression in allow/block decision logic, cache invalidation, or bypass prevention could expose students to inappropriate content or disrupt school operations. The test infrastructure you build is the last line of defense before production.

At L5, this is an engineering leadership role, not a QA role. You will define what 'production-ready' means for a safety-critical student product, enforce that standard through CI/CD quality gates, and contribute to extension development directly.

What You'll Do

• Define what 'passing' means for the onboard filtering project: establish written quality criteria covering correctness, security, and performance that gate production releases.
• Design and implement automated test suites covering block/allow decisions, iframe handling, cache invalidation, TTL expiry, fallback behavior, and filtering decision engine edge cases.
• Build CI/CD quality gates that prevent regressions from reaching production; own the pipeline configuration and ensure the quality bar is enforced, not advisory.
• Model bypass threats systematically: document how students exploit timing windows, iframes, DOM manipulation, redirect chains, and DNS TTL behavior — then build automated tests that catch those bypasses.
• Measure and establish written performance baselines: page load latency impact, service worker memory usage, cache sync overhead across realistic Chromebook hardware profiles.
• Contribute to Chrome extension development work in TypeScript/JavaScript alongside test responsibilities.
• Serve as the team's expert on bypass threat modeling: your analysis of how students circumvent filtering is an input to the implementation team's architecture decisions.
• Mentor engineers on test architecture as a first-class discipline.

Skills & Requirements

Who You Are

• You think like an attacker when writing tests — you do not test the happy path and call it done. You document attack vectors so the implementation team designs against them.
• You have shipped production Chrome extensions and built the test infrastructure around them. You know both sides of the work.
• You treat test architecture as a first-class engineering discipline. A feature without a regression suite is not finished.
• You define what 'quality' means on a safety-critical product and produce written criteria that hold the codebase to that standard.
• You contribute to development, not just testing — this is an L5 engineering role, and your TypeScript ships alongside your test suites.
• Your bypass threat model documents are used by the implementation team to make better architecture decisions.

What It Means to Be L5 at Securly

L5 at Securly is a Staff Engineer. You are the technical owner, not just an implementer.

• Drive technical direction for your initiative end-to-end: from architecture to production, with minimal oversight from your engineering manager.
• Identify and resolve ambiguity in requirements, system boundaries, and design tradeoffs without waiting for a fully-formed spec.
• Mentor L3/L4 engineers on the team: code reviews, design feedback, pairing, and raising the bar for what production-quality work looks like.
• Partner with your L6 technical lead and the Distinguished Engineer on architectural decisions, surfacing tradeoffs clearly rather than deferring them upward.
• Contribute to cross-team engineering standards: you are expected to influence practices beyond your immediate squad.
• Translate technical context into clear written artifacts that non-engineers (PM, Support, Leadership) can act on.
• Participate in on-call rotation and own the full incident lifecycle for your system: detection, diagnosis, resolution, and retrospective.

About Securly

Benefits

The Role

As a Senior Software Engineer (GO) - DNS & Network Systems, you will own the architecture and delivery of Securly's DNS-over-HTTPS (DoH) resolver — a production-grade, identity-aware DNS service that enforces filtering policy at the browser and OS level for millions of students on managed Chromebooks.

This is a critical infrastructure role at the intersection of DNS, identity, and network security. You will design and build a high-performance DoH resolver in Go that extracts device and user identity from Chrome enterprise policy URL templates and integrates with Securly's DNS policy engine and Redis infrastructure. You own the full lifecycle: architecture, implementation, TLS configuration, and production deployment on AWS.

This role is the technical foundation of a potential simplification of Securly's SmartPAC identity architecture. Done well, it could collapse significant DNS-RPC signaling complexity (DID/cookie system, IP fusing, brokering state) that has been a source of reliability issues. The scope of that architectural decision will evolve with the POC, and you will be the engineer best positioned to inform it.

What You'll Do

• Architect and build a production-grade DoH resolver in Go, integrated with Securly's DNS policy engine and Unbound infrastructure.
• Implement identity extraction from Chrome's DnsOverHttpsTemplatesWithIdentifiers URL template variables — mapping encrypted DNS queries to device and user identity, and evaluate the degree to which this approach can replace SmartPAC DNS-RPC signaling.
• Build an Unbound plugin with filtering business logic to process DoH queries with identity parameters from the URL template.
• Integrate with Redis infrastructure for policy lookups, identity mapping, state management, and feature flags; document failure modes and define graceful degradation behavior.
• Own TLS termination: certificate provisioning, renewal, and ensuring Chrome correctly validates the DoH endpoint certificate.
• Architect and own the CloudFormation deployment stack: NLB, Auto Scaling Groups, Route53.
• Lead the POC and production hardening phases in collaboration with Securly's Distinguished Engineer; produce a written ADR capturing tradeoffs and the go/no-go recommendation after POC.
• Mentor junior engineers on DNS fundamentals, Go patterns, and infrastructure-as-code practices.
• Document the new architecture and own knowledge transfer as the system transitions.

Skills & Requirements

Who You Are

• You think in protocols. DNS, TLS, HTTP/2 — you know what happens at the wire level and find that interesting, not painful.
• You are comfortable owning a project end to end: from research and POC through production hardening and deployment, without being handed a spec.
• You write Go that other senior engineers want to read. Idiomatic, tested, observable.
• You have worked on infrastructure other products depend on and understand what production ownership actually means.
• You produce written artifacts (ADRs, position papers, risk registers) to anchor ambiguous decisions rather than leaving them implicit.
• You make other engineers better. Your code reviews are substantive, your design feedback is specific.

What It Means to Be L5 at Securly

L5 at Securly is a Staff Engineer. You are the technical owner, not just an implementer.

• Drive technical direction for your initiative end-to-end: from architecture to production, with minimal oversight from your engineering manager.
• Identify and resolve ambiguity in requirements, system boundaries, and design tradeoffs without waiting for a fully-formed spec.
• Mentor L3/L4 engineers on the team: code reviews, design feedback, pairing, and raising the bar for what production-quality work looks like.
• Partner with your L6 technical lead and the Distinguished Engineer on architectural decisions, surfacing tradeoffs clearly rather than deferring them upward.
• Contribute to cross-team engineering standards: you are expected to influence practices beyond your immediate squad.
• Translate technical context into clear written artifacts that non-engineers (PM, Support, Leadership) can act on.
• Participate in on-call rotation and own the full incident lifecycle for your system: detection, diagnosis, resolution, and retrospective.

About Securly

Benefits

The Role

The Senior Software Engineer (Rust) - Proxy Services will own the conversion of Securly's web filtering proxy business logic from C++ to production Rust — maintaining behavioral parity across a high-throughput proxy that handles HTTP/HTTPS traffic for millions of students daily.

A modern, memory-safe Rust proxy is already underway at Securly. When you join, the initial Rust proxy is in production and your mission is the next phase: integrating and converting the existing C++ business logic into production Rust. This means reading C++, reasoning about behavior, and re-implementing it correctly — including HTTPS tunneling, TLS interception, JavaScript injection into HTML responses (the ACP-48 shim pattern), and Redis-based policy lookups. Precision and behavioral correctness are non-negotiable.

At L5, you are not just a skilled implementer. You own the conversion strategy, define the phasing and testing approach, surface architectural risks to the L6 lead, and raise the Rust competency of the broader proxy team.

What You'll Do

• Own the C++ to Rust conversion strategy: define the porting sequence, identify behavioral risks, and establish the testing approach that gives confidence in parity before cutover.
• Read, debug, and deeply understand existing C++ proxy business logic, then port it to production Rust with full behavioral parity.
• Build and maintain forward proxy operations: HTTPS CONNECT tunneling, TLS interception, HTTP/1.1 and HTTP/2, header manipulation, connection pooling.
• Implement JavaScript content script injection into HTML responses (ACP-48 shim pattern) — enabling proxy-side injection for customers not served by the Chrome extension.
• Integrate Redis-based real-time policy lookups; handle Redis failure modes gracefully; document degraded-mode behavior and validate it under load.
• Profile and benchmark proxy performance under high-concurrency load; use flame graphs to validate changes; maintain a written performance baseline document.
• Identify gaps in the existing C++ codebase where behavior is unclear or likely incorrect — treating the port as an opportunity to improve, not just replicate.
• Mentor junior Rust engineers on ownership models, async patterns, and systems-level debugging.
• Collaborate closely with the Proxy Hardening engineer on shared infrastructure and production issues.

Skills & Requirements

Who You Are

• You are the engineer who reads crash dumps for fun. Memory safety, ownership models, and undefined behavior are topics you have strong opinions about.
• You have ported or rewritten production systems before and understand that behavioral parity is significantly harder than it appears.
• You can navigate a large legacy C++ codebase without documentation. You treat it as archaeology, not an obstacle.
• You take correctness seriously — you do not ship a port until you are confident it behaves identically to what it replaced, and you have the test coverage to prove it.
• You define the plan, not just execute it. You produce written conversion strategies, risk registers, and performance baseline documents.
• You make other engineers better. You are sought out for Rust code reviews and junior engineers ship better code after working with you.

What It Means to Be L5 at Securly

L5 at Securly is a Staff Engineer. You are the technical owner, not just an implementer.

• Drive technical direction for your initiative end-to-end: from architecture to production, with minimal oversight from your engineering manager.
• Identify and resolve ambiguity in requirements, system boundaries, and design tradeoffs without waiting for a fully-formed spec.
• Mentor L3/L4 engineers on the team: code reviews, design feedback, pairing, and raising the bar for what production-quality work looks like.
• Partner with your L6 technical lead and the Distinguished Engineer on architectural decisions, surfacing tradeoffs clearly rather than deferring them upward.
• Contribute to cross-team engineering standards: you are expected to influence practices beyond your immediate squad.
• Translate technical context into clear written artifacts that non-engineers (PM, Support, Leadership) can act on.
• Participate in on-call rotation and own the full incident lifecycle for your system: detection, diagnosis, resolution, and retrospective.

About Securly

Benefits

The Role

The Senior Software Engineer (Rust) - Proxy Infrastructure will own production hardening, performance validation, and infrastructure operations for Securly's Rust web filtering proxy — establishing the reliability and scalability baseline that millions of students depend on, and owning the on-premise Docker proxy appliance for school network environments.

Your mission is to ensure the proxy performs, scales, and deploys reliably in production. You will own canary rollout configuration, CloudFormation-based scaling infrastructure, load testing strategy, and performance baseline definition. You will also own the on-premise Docker appliance — a lightweight Rust proxy deployed in school network environments that intercepts TCP traffic and prepends identity headers.

At L5, this is not purely an infra-execution role. You are expected to identify systemic reliability risks in the proxy stack and propose architectural mitigations, not just react to incidents. You define what 'production-ready' means and enforce that bar.

What You'll Do

• Define what 'production-ready' means for the Rust proxy: establish written performance baselines, reliability criteria, and the specific metrics that trigger a rollback vs. a hotfix.
• Design and execute load tests to identify performance bottlenecks; profile memory and CPU under peak and sustained load; produce baseline documents the team references across deployments.
• Own canary rollout configuration and CloudFormation-based ASG scaling policies — modify templates, configure health checks, tune scaling behavior; document every configuration decision with rationale.
• Identify and propose mitigations for known proxy infrastructure risk areas including Redis behavior under peak throughput, CORS/proxy transparency edge cases, and connection pool exhaustion.
• Maintain and harden the on-premise Docker proxy appliance — image builds, container networking, minimal image design, and distribution to school network environments.
• Investigate and resolve production performance issues under peak load; produce written post-mortems that close the loop on root cause.
• Build monitoring, dashboards, and alerting for proxy infrastructure (CloudWatch, Splunk); define SLO targets and ensure alerting is calibrated to them.
• Contribute to C++ to Rust business logic conversion work alongside the Proxy Conversion engineer.
• Support TCP stream handling and socket-level work for the on-premise appliance: bidirectional forwarding, port interception, identity header injection.

Skills & Requirements

Who You Are

• You take performance personally — you do not accept 'probably fast enough.' You profile, you measure, you prove it — and then you write it down.
• You have owned production infrastructure and understand that canary rollouts, health checks, and scaling policies are not afterthoughts — they are the job.
• You are comfortable in the systems layer: TCP streams, socket programming, and container networking are familiar territory.
• You identify systemic risks before they become incidents. You advocate for reliability improvements over tactical fixes.
• You produce written artifacts — post-mortems, baseline documents, SLO definitions — that outlast any individual incident or sprint.
• You operate well in an environment where production stability is a shared responsibility and on-call is part of the role.

What It Means to Be L5 at Securly

L5 at Securly is a Staff Engineer. You are the technical owner, not just an implementer.

• Drive technical direction for your initiative end-to-end: from architecture to production, with minimal oversight from your engineering manager.
• Identify and resolve ambiguity in requirements, system boundaries, and design tradeoffs without waiting for a fully-formed spec.
• Mentor L3/L4 engineers on the team: code reviews, design feedback, pairing, and raising the bar for what production-quality work looks like.
• Partner with your L6 technical lead and the Distinguished Engineer on architectural decisions, surfacing tradeoffs clearly rather than deferring them upward.
• Contribute to cross-team engineering standards: you are expected to influence practices beyond your immediate squad.
• Translate technical context into clear written artifacts that non-engineers (PM, Support, Leadership) can act on.
• Participate in on-call rotation and own the full incident lifecycle for your system: detection, diagnosis, resolution, and retrospective.

About Securly

Benefits

The Role

Lead the maturation of Securly's content classification system — building the ML infrastructure that determines, at scale, whether web content is appropriate for K-12 students, and establishing the rigorous evaluation framework that product and leadership teams depend on.

This is applied ML with direct student safety impact — not research. You will lead a significant uplift of Securly's classification models: refactoring binary models to proper multiclass classification, building labeled evaluation datasets, and producing standardized model cards with per-category precision, recall, F1, and confusion matrix analysis.

At L5, you are the technical leader of the data science function for content safety. You will define the evaluation methodology the team follows, set the standard for what a model card must contain before a model ships, mentor the team on applied ML rigor, and serve as the interface between data science and engineering on production integration constraints.

What It Means to Be L5 at Securly

L5 at Securly is a Staff Engineer. You are the technical owner, not just an implementer.

• Drive technical direction for your initiative end-to-end: from architecture to production, with minimal oversight from your engineering manager.
• Identify and resolve ambiguity in requirements, system boundaries, and design tradeoffs without waiting for a fully-formed spec.
• Mentor L3/L4 engineers on the team: code reviews, design feedback, pairing, and raising the bar for what production-quality work looks like.
• Partner with your L6 technical lead and the Distinguished Engineer on architectural decisions, surfacing tradeoffs clearly rather than deferring them upward.
• Contribute to cross-team engineering standards: you are expected to influence practices beyond your immediate squad.
• Translate technical context into clear written artifacts that non-engineers (PM, Support, Leadership) can act on.
• Participate in on-call rotation and own the full incident lifecycle for your system: detection, diagnosis, resolution, and retrospective.

What You'll Do

• Define the evaluation methodology for content classification at Securly: establish what a model card must contain and hold every model release to that standard before it ships.
• Lead the multiclass refactor of Securly's content classification models: redesign binary models to handle multi-label, multi-class content categories (Adult Content, Violence, Self-Harm, Social Media, and others).
• Build and maintain labeled evaluation datasets with robust annotation workflows; address class imbalance and label noise systematically; document dataset curation decisions in a versioned data card.
• Connect offline evaluation to production monitoring — surface classification drift and error patterns before they become customer-facing issues.
• Investigate and resolve misclassification errors: false positives (over-blocking) and false negatives (under-blocking); produce written root cause analyses.
• Build and maintain training data pipelines: ingestion, cleaning, labeling, and versioning at scale.
• Mentor the existing AI team on evaluation methodology, model development practices, and data science communication rigor.
• Communicate precision/recall tradeoffs to product managers and engineers; produce executive-level summaries of classification quality for leadership.
• Collaborate with engineering to integrate model outputs into the production filtering stack with appropriate latency and reliability constraints.
• Research and prototype improvements: feature representations, model architectures, active learning for label efficiency, domain adaptation for emerging content categories.

Skills & Requirements

Who You Are

• You have shipped ML models to production and lived with the consequences — you know what model drift looks like and how to catch it before it becomes a customer issue.
• You treat evaluation as a first-class engineering artifact. A model without a model card is not finished — and you set and enforce that standard for the team.
• You define the methodology, not just apply it. You produce the evaluation framework that other data scientists use, and you hold them to it.
• You can communicate precision/recall tradeoffs to a product manager and to a senior engineer in the same conversation, calibrated to each audience.
• You are energized by problems with real stakes: a false negative in Self-Harm classification is not an acceptable error rate.
• You mentor by example and by expectation: your code, your analysis, and your documentation set the standard.

About Securly

Benefits

The Role

The Senior Data Scientist will lead the maturation of Securly's content classification system — building the ML infrastructure that determines, at scale, whether web content is appropriate for K-12 students, and establishing the rigorous evaluation framework that product and leadership teams depend on.

This is applied ML with direct student safety impact — not research. You will lead a significant uplift of Securly's classification models: refactoring binary models to proper multiclass classification, building labeled evaluation datasets, and producing standardized model cards with per-category precision, recall, F1, and confusion matrix analysis.

At L5, you are the technical leader of the data science function for content safety. You will define the evaluation methodology the team follows, set the standard for what a model card must contain before a model ships, mentor the team on applied ML rigor, and serve as the interface between data science and engineering on production integration constraints.

What It Means to Be L5 at Securly

L5 at Securly is a Staff Engineer. You are the technical owner, not just an implementer.

• Drive technical direction for your initiative end-to-end: from architecture to production, with minimal oversight from your engineering manager.
• Identify and resolve ambiguity in requirements, system boundaries, and design tradeoffs without waiting for a fully-formed spec.
• Mentor L3/L4 engineers on the team: code reviews, design feedback, pairing, and raising the bar for what production-quality work looks like.
• Partner with your L6 technical lead and the Distinguished Engineer on architectural decisions, surfacing tradeoffs clearly rather than deferring them upward.
• Contribute to cross-team engineering standards: you are expected to influence practices beyond your immediate squad.
• Translate technical context into clear written artifacts that non-engineers (PM, Support, Leadership) can act on.
• Participate in on-call rotation and own the full incident lifecycle for your system: detection, diagnosis, resolution, and retrospective.

What You'll Do

• Define the evaluation methodology for content classification at Securly: establish what a model card must contain and hold every model release to that standard before it ships.
• Lead the multiclass refactor of Securly's content classification models: redesign binary models to handle multi-label, multi-class content categories (Adult Content, Violence, Self-Harm, Social Media, and others).
• Build and maintain labeled evaluation datasets with robust annotation workflows; address class imbalance and label noise systematically; document dataset curation decisions in a versioned data card.
• Connect offline evaluation to production monitoring — surface classification drift and error patterns before they become customer-facing issues.
• Investigate and resolve misclassification errors: false positives (over-blocking) and false negatives (under-blocking); produce written root cause analyses.
• Build and maintain training data pipelines: ingestion, cleaning, labeling, and versioning at scale.
• Mentor the existing AI team on evaluation methodology, model development practices, and data science communication rigor.
• Communicate precision/recall tradeoffs to product managers and engineers; produce executive-level summaries of classification quality for leadership.
• Collaborate with engineering to integrate model outputs into the production filtering stack with appropriate latency and reliability constraints.
• Research and prototype improvements: feature representations, model architectures, active learning for label efficiency, domain adaptation for emerging content categories.

Skills & Requirements

Who You Are

• You have shipped ML models to production and lived with the consequences — you know what model drift looks like and how to catch it before it becomes a customer issue.
• You treat evaluation as a first-class engineering artifact. A model without a model card is not finished — and you set and enforce that standard for the team.
• You define the methodology, not just apply it. You produce the evaluation framework that other data scientists use, and you hold them to it.
• You can communicate precision/recall tradeoffs to a product manager and to a senior engineer in the same conversation, calibrated to each audience.
• You are energized by problems with real stakes: a false negative in Self-Harm classification is not an acceptable error rate.
• You mentor by example and by expectation: your code, your analysis, and your documentation set the standard.

About Securly

Benefits