# CyberSec People > CyberSec People is a specialist cybersecurity search firm founded in 2017, based in Australia with global reach. We find security talent for companies building with AI, from seed-stage startups making their first security hire to scale-ups and enterprises building world-class security teams. We are practitioners who recruit, embedded in the security community through conferences, meetups, and a decade of industry relationships. We are not a generalist recruitment agency. ## What We Do Eight technical domains where the talent is scarce and the stakes are high. Each domain includes a deep-dive Q&A to help founders and security leaders understand when and why they need these hires. ## Domain 1: Product Security The engineers who secure what gets shipped. In the age of AI, that means securing not just the application, but the models, the data, and the agentic workflows that power it. ### Do I need a Product Security Engineer? If your business ships software, the answer is yes. Your developers are focused on features, not on the vulnerabilities they are introducing. A Product Security engineer embeds with your development teams to find and fix vulnerabilities before they reach production. If you are shipping AI features, they also need to understand model security, prompt injection, and the new attack surfaces that come with it. ### What do they actually do? They are your security-focused software engineers. They review code, threat model new features, automate security testing in the CI/CD pipeline, and secure your AI integrations. They build the paved roads that make the secure path the easy path for your developers. They know the difference between finding 10,000 vulnerabilities and finding the 10 that actually matter. ### When should I hire one? This is often one of the first two security hires for a product-led company, alongside a Cloud Security Engineer. If you have a team of developers shipping code to production, or you are building AI-powered features, you need a Product Security engineer. ## Domain 2: Cloud & Infrastructure Security AI runs on cloud. Someone needs to secure it. From traditional cloud environments to the GPU clusters, model pipelines, and data platforms powering the AI revolution, this is the role that stops a misconfiguration from becoming a breach. ### Do I need a Cloud Security Engineer? If you are running production workloads in the cloud and you do not have someone who wakes up every morning thinking about how to secure it, you have a problem. Most breaches at startups are not sophisticated hacks. They are a misconfigured S3 bucket or an exposed database. ### What do they actually do? They build the guardrails for your cloud environment. They lock down access, segment your networks, encrypt your data, and build the monitoring that tells you when something is wrong. They are the reason a single stolen developer laptop does not take down your entire company. ### When should I hire one? If you have raised a Series A and have more than 10 engineers, you are overdue. If an enterprise customer has sent you a security questionnaire, you needed one yesterday. This is almost always the first or second security hire a cloud-native startup makes. ## Domain 3: Identity and Machine Identity The perimeter is gone. Identity is the new control plane. Every user, every API key, every service account, every AI agent needs to be authenticated, authorised, and auditable. This is the foundation of zero-trust and the security of autonomous systems. ### Do I need an Identity Engineer? If you are managing more than just a simple username and password login, you have an identity problem. The moment you add third-party logins, API keys for partners, or service accounts for your CI/CD pipeline, the complexity explodes. One compromised key can give an attacker access to everything. ### What do they actually do? They are the architects of trust in your system. They build and manage the systems that control access for every user and every machine. They implement SSO for your enterprise customers and ensure your AI agents have the minimum permissions they need to function, and nothing more. ### When should I hire one? When you move beyond a simple login system. If you are planning for enterprise SSO, building a public API, or deploying autonomous agents, you need a specialist. This is often a company's third or fourth security hire, after you have the cloud and application security basics covered. ## Domain 4: Detection & Response Engineering The future of defence is engineered, not just monitored. High-fidelity detection and automated response capabilities that move your organisation from reactive alert-chasing to proactive threat neutralisation. This is where security becomes a data engineering problem. ### Do I need a Detection Engineer? If you are logging security data but drowning in alerts, or worse, not getting any alerts at all, you need a Detection Engineer. A traditional analyst can investigate an alert, but a Detection Engineer builds the engine that separates real threats from the noise. ### What do they actually do? They are data-driven threat hunters. They write code to sift through your logs and find the subtle patterns of an attack in progress. They are the difference between finding out you were breached from a security tool, and finding out from a customer on Twitter. ### When should I hire one? Once you have security logs flowing into a central place. If you are struggling with alert fatigue or have a nagging feeling you are missing things, it is time. This is typically a hire for a Series B or later company that wants to build a proactive defence. ## Domain 5: Offensive Security & AI Red Teaming To build a resilient defence, you have to understand the offence. Traditional penetration testing and red teaming, plus the emerging discipline of AI red teaming. Testing your systems, your models, and your agents against the next generation of threats. ### Do I need an Offensive Security Engineer? Automated scanners find common vulnerabilities. They are terrible at finding the unique, business-logic flaws in your application, the complex attack paths in your cloud environment, or the prompt injection vectors in your AI features. An Offensive Security Engineer provides the human creativity that automated tools lack. If you are shipping AI, they need to know how to break it. ### What do they actually do? They perform authorised, simulated attacks against your systems. Traditional red teaming of networks and applications, plus the emerging discipline of adversarial AI evaluation: testing LLMs for jailbreaks, prompt injection, data exfiltration, and agent manipulation. They provide the proof that you are, or are not, as secure as you think you are. ### When should I hire one? Most startups begin with third-party penetration tests for compliance. You should consider an in-house hire when you want to move beyond checking a box and build a continuous security testing capability. If you are deploying AI features, you need someone who can adversarially test them. The hackers are evolving. Your testers need to evolve with them. ## Domain 6: AI & Agentic Security This is not cloud security or product security with an AI label. It is a genuinely new field. Model security, prompt injection defence, agent guardrails, supply chain integrity for AI systems. The role is still being defined, and most companies are figuring out who should own it. If you are building with AI, that question is going to find you whether you are ready or not. ### Does this role even exist yet? Barely. A handful of companies have dedicated AI security engineers. Most are still bolting AI security onto existing AppSec or cloud security roles. The job title is emerging and the skill set is being defined in real time. If you are waiting for the market to produce a clear AI Security Engineer profile before you start thinking about it, you are already behind. ### What would this person actually do? They would secure the AI stack from the ground up. Hardening model endpoints, building guardrails for autonomous agents, securing training data pipelines, implementing output filtering, and ensuring supply chain integrity for the models and frameworks you depend on. They sit at the intersection of ML engineering and security engineering. ### When should I start thinking about this hire? If AI is core to your product and you are moving beyond prototypes into production, now. Not when you have a breach or a customer asks how you are securing your models. The people who can do this work are scarce, and they are not going to be easier to find in 12 months. ## Domain 7: AI Governance & Risk New regulations are reshaping the landscape, and AI compliance is now a board-level concern. The people who can translate policy into practice, enabling innovation while managing risk, are in short supply and high demand. ### Do I need an AI Governance person? If your product uses AI and you sell to enterprise customers, operate in regulated industries, or have any exposure to the European market, the answer is yes. The EU AI Act comes into force in August 2027. Your enterprise customers are already adding AI-specific clauses to their security questionnaires. ### What do they actually do? They sit between your AI engineering team, your legal team, and your customers. They build the frameworks that ensure your AI systems are fair, transparent, and auditable. They create the documentation that proves to a regulator or an enterprise buyer that your AI does what you say it does and nothing you did not intend. ### When should I hire one? If you are pre-Series B, your CTO or Head of Security can cover the basics. If you have raised a Series B or beyond and your AI is customer-facing, a dedicated hire makes sense. The trigger is usually an enterprise customer asking how your AI makes decisions, or your legal team flagging regulatory risk. ## Domain 8: Security Leadership The right security leader is the ultimate force multiplier. CISOs, VPs, and Heads of Security who don't just manage risk but enable the business through every stage of growth. Your first security hire sets the trajectory for everything that follows. For retained executive search, visit CyberSec Search (https://cybersecsearch.com). ### Do I need a Head of Security? If you have raised a Series A or B and you do not have a single person who owns security, you are taking a significant risk. Your investors, enterprise customers, and regulators will all ask who is responsible for protecting the company. At this stage, you need a leader who can be both strategic and hands-on. ### What do they actually do? At a startup, the Head of Security is the security team. They build the security program from scratch, hire the first engineers, and represent security to the board and to customers. At a scale-up, they shift to strategy, team building, and cross-functional influence. The profile changes dramatically depending on your stage. ### When should I hire one? If you are pre-seed or seed, you likely do not need a full-time leader yet. A fractional CISO or an advisor can bridge the gap. From Series A onward, a dedicated leader becomes critical. The right hire depends entirely on your stage, your product, and your customer base. That is what we help you figure out. ## Who We Work With Our primary clients are seed to Series D/E funded companies in Australia and globally. We work directly with founders making their first security hire, and CISOs or Heads of Security scaling teams at high-growth companies. We also work with enterprise security leaders who think like builders, the ones restructuring their security functions, insourcing from MSSPs, and hiring like startups even if they are not one. ## Our Track Record We have placed over 300 security professionals across more than 100 companies. Our fill rate is 95% and our submission-to-interview rate is 92%. We have a 5.0 rating on Google. ## Community Involvement We co-organise BSides Gold Coast and SecTalks Gold Coast. We run Career Villages at Black Hat, AISA CyberCon, and BSides events across Australia. We host the Hacking into Security podcast. We have been part of the Australian security community since 2016. These are not contacts in a database. They are relationships built over a decade. ## Contact - Email: hello@cybersecpeople.com - Website: https://cybersecpeople.com - Executive Search: https://cybersecsearch.com - Location: Australia (serving globally)