Information Systems Security Engineer

Merlin Labs
Merlin Labs

Boston, MA, USA

Posted on Jul 9, 2026
About Merlin:
Merlin is a venture backed aerospace startup building a non-human pilot to enable both reduced crew and uncrewed flight. Backed by some of the world’s leading investors, Merlin is scaling alongside our customers to begin leveraging autonomy today to solve some of aviation’s biggest challenges.

About you:

    You have spent years working inside the DoD ecosystem and you know what program security actually looks like. You have sat in customer meetings where security requirements get argued over, built authorization packages that survived an assessor, and spent enough time with systems developers and government security reps to know that the best security engineers are the ones who show up before the design is finalized. You approach security as a systems problem and you bring the technical depth to back it up.

    Merlin Labs builds autonomous aviation systems for demanding defense customers, and we are looking for a security engineer who wants to help us do that correctly. You will be working alongside engineers who care about getting this right, interfacing with government customers directly, and shaping how security engineering gets done at a company that is growing fast and taking on more complex programs. If that is the kind of ownership you are looking for, this is the role.

Responsibilities:

  • Apply systems security engineering methods across the architecture, design, evaluation, and integration of Merlin's defense programs and products, working alongside engineering teams to embed security requirements early rather than retrofitting them once a system is built.

  • Support RMF accreditation and authorization activities for supported programs, including categorization, controls selection and implementation, security assessment, and body of evidence package development through all required RMF steps.

  • Engage with government customers and their security representatives to define, document, and implement security protection requirements with the technical rigor and fidelity that DoD authorization demands.

  • Apply and verify DISA SRGs and STIGs across program environments, and maintain the configuration management processes that keep systems compliant as they evolve through their operational lifecycle.

  • Conduct vulnerability assessments using tools such as Tenable NESSUS and ACAS, coordinate remediation with engineering teams, and manage the ongoing security posture of supported systems.

  • Evaluate and advise on the selection of COTS, GOTS, and open-source tools entering the program environment, following DoD-approved software approval processes and ensuring security implications are understood before adoption.

  • Support DevSecOps security integration by bringing defense-grade practices into our CI/CD pipeline, including static application security testing and security-gated build processes for government-facing deliverables.

Qualifications:

  • Bachelor's degree with 5 years of cybersecurity experience on DoD or government programs.

  • Direct experience with RMF accreditation and authorization, including body of evidence package development and working with government ISSOs, SCAs, or authorizing official representatives through the authorization lifecycle.

  • Hands-on experience applying DISA SRGs and STIGs and conducting vulnerability assessments with tools such as Tenable NESSUS, ACAS, or SCC.

  • Active clearance. TS preferred.

Nice to Have:

  • Experience with government and commercial security tooling and security integration in a DevSecOps environment, or equivalent tools used in a defense or government program context.

  • Familiarity with SIEM platforms and development of detection rulesets and dashboards in a defense program or enterprise security context.

  • Background in aerospace, aviation, autonomous systems, or another safety-critical engineering domain where security and reliability requirements intersect.

This position is based on-site at Merlin HQ in Boston, MA.
Once you’re here, you’ll enjoy a variety of on-site perks designed to make your workday enjoyable and convenient. These include catered lunches featuring a rotating menu of delicious options, an assortment of snacks to keep you fueled throughout the day, and a selection of beverages, including coffee, tea, and other drinks, to keep you refreshed.
Our goal is to create an environment where you can thrive both professionally and personally
Merlin Labs offers an innovative, entrepreneurial, and team-focused startup environment. We also offer a top-notch benefits package (health, dental, life, unlimited vacation, and 401k with match) and work/life integration. Being part of the Merlin team allows you to become part of a small team that supports professional development while working together to achieve our mission.
Merlin Labs is an equal opportunity employer and values diversity. We do not discriminate on the basis of race, religion, color, national origin, genetic information, sex (including pregnancy), gender, gender identity and expression, sexual orientation, age, marital status, military service or obligation or disability status, or any other characteristic protected by law. All job offers are contingent upon the candidate passing background and reference checks.
At this time, we are unable to provide visa sponsorship or consider candidates who require visa transfers. Applicants must be authorized to work in the United States without the need for visa sponsorship now or in the future.
In compliance with federal law, all persons hired will be required to verify identity and eligibility to work in the United States and to complete the required employment eligibility verification form upon hire.
If you require reasonable accommodation in completing an application, interviewing, completing any pre-employment testing, or otherwise participating in the employee selection process, please direct your inquiries to: people@merlinlabs.com
Merlin Labs does not accept unsolicited resumes from any source other than directly from candidates.