Sr Lead Security Engineer

• Perform and lead hardware and firmware security evaluations using techniques such as source code review, fault injection, and side-channel analysis to validate product security posture.
• Understand and analyze complex hardware and firmware designs, locating weaknesses and vulnerabilities in AMD and Intel server platforms, network and DMZ devices, laptops, and IoT devices. Perform firmware security analysis and hardware bill of materials (BOM) content security analysis to identify supply chain risks and unauthorized modifications.
• Detect Indicators of Compromise (IOCs) in firmware and hardware components across the enterprise infrastructure. Advise internal product teams through critical parts of their lifecycle management, providing detailed security assessment reports and remediation guidance.
• Coach and mentor colleagues to grow as security evaluators and architects within the hardware security domain. Apply critical thinking to distinguish security-critical issues from lower-priority findings and communicate risk effectively to stakeholders.
• Drive internal research and development of new attack methodologies, security testing tools, and evaluation frameworks to advance the firm's hardware security capabilities. Collaborate with cross-functional teams including product delivery managers, security engineers, and other stakeholders to translate security requirements into technical designs.
• Ensure alignment of hardware and firmware security architecture with business goals, regulatory requirements, and industry certification standards (e.g., Common Criteria, EMVCo).
• Uses enterprise-authorized AI capabilities within the work environment to accelerate security risk analysis and documentation (e.g., synthesizing threat assessments), validating outputs and ensuring sensitive data is handled appropriately.
• Applies reuse-first, AI-assisted practices within SDLC/toolchain routines to strengthen security testing and control validation, ensuring traceability/auditability and alignment to resiliency and security expectations

• Formal training or certification with 5+ years of applied experience in hardware or firmware security evaluation.

• Proven experience in Common Criteria (CC) projects, preferably as an evaluator, or as a security consultant or developer of secure embedded products.

• Track record in CC or equivalent security evaluation projects involving ICs, server platforms, operating systems, TEE (Trusted Execution Environments), network devices, or IoT devices.

• Proficiency in programming languages relevant to hardware and firmware security (e.g., C, Python, Assembly, VHDL, Verilog). Experience disassembling and reverse-engineering firmware for ARM, MIPS, or Intel architectures.

• Knowledge of cryptographic primitives and protocols including encryption algorithms, key exchange algorithms, hashing/message authentication algorithms, PKI, and random number generators. Hands-on experience with Side-Channel Analysis (SCA) and Fault Injection (FI) techniques and tooling.

• Basic to advanced knowledge of electronics, embedded systems, chip design, and applied cryptography. Ability to work independently and lead security assessments without close supervision. Effective communication and stakeholder management across business and technology teams; strong technical writing abilities for producing detailed security evaluation reports.

• Demonstrated experience using enterprise-authorized AI capabilities within the work environment to support security engineering workflows with strong validation habits and awareness of data sensitivity.

• Ability to review and validate AI-assisted security recommendations before adoption, escalating uncertainty and ensuring outcomes align to security, resiliency, and auditability expectations.

Preferred qualifications, capabilities, and skills

• Experience extracting and identifying firmware filesystems, reverse-engineering embedded binaries, emulating firmware for dynamic analysis, fuzzing parsers and scanning network services for vulnerability discovery, interfacing with hardware debug ports (JTAG/SWD) and flash memory for firmware extraction, and performing advanced physical attacks including side-channel analysis and fault injection.

• Debugging and instrumentation experience for Android, iOS, or Linux on embedded platforms.

• Experience with security testing tools and methodologies for embedded and IoT devices.

• Experience extracting and identifying firmware filesystems, reverse-engineering embedded binaries, emulating firmware for dynamic analysis, fuzzing parsers and network services for vulnerability discovery, interfacing with hardware debug ports (JTAG/SWD) and flash memory for firmware extraction, and performing advanced physical attacks such as side-channel analysis and fault injection.

• Prior experience in the banking or financial services industry.

• Understanding of regulatory requirements and compliance standards applicable to payment and financial hardware security.

We offer a competitive total rewards package including base salary determined based on the role, experience, skill set and location. Those in eligible roles may receive commission-based pay and/or discretionary incentive compensation, paid in the form of cash and/or forfeitable equity, awarded in recognition of individual achievements and contributions. We also offer a range of benefits and programs to meet employee needs, based on eligibility. These benefits include comprehensive health care coverage, on-site health and wellness centers, a retirement savings plan, backup childcare, tuition reimbursement, mental health support, financial coaching and more. Additional details about total compensation and benefits will be provided during the hiring process.

JPMorganChase, one of the oldest financial institutions, offers innovative financial solutions to millions of consumers, small businesses and many of the world's most prominent corporate, institutional and government clients under the J.P. Morgan and Chase brands. Our history spans over 200 years and today we are a leader in investment banking, consumer and small business banking, commercial banking, financial transaction processing and asset management.