Eagle Wireless
is a connectivity company delivering secure, reliable, and scalable cellular modules and solutions for automotive and IoT applications. With a strong presence in the United States and global R&D teams across North America, Europe, and APAC, Eagle Wireless supports customers worldwide with long-life, compliant, and cyber-secure connectivity products. Focused on trust, supply chain resilience, and regulatory compliance, Eagle Wireless helps OEMs, Tier 1 suppliers, and IoT innovators deploy connected technologies with confidence in an increasingly complex global environment.
We are looking for:
Embedded Product Security Engineer
This is a hands-on technical role. You will write and run code, operate tooling in containers, generate customer-facing reports, and work directly with firmware and software engineers to remediate findings. You will also be a key contributor to our CI/CD pipeline, embedding security analysis at the build stage rather than as an afterthought.
Key responsibilities:
CVE triage and vulnerability management
-
Monitor CVE feeds and security advisories relevant to our component stacks across all product lines
-
Triage incoming CVEs against maintained SBOMs, assess exploitability, and determine applicability per product
-
Author and deliver VEX (Vulnerability Exploitability eXchange) documents to customers within required timelines
-
Maintain component inventory as products evolve through their lifecycle
-
Operate and maintain vulnerability management tooling (e.g. Dependency-Track or equivalent)
SBOM generation and maintenance
-
Generate and maintain accurate SBOMs (CycloneDX / SPDX) for all 20+ product lines
-
Integrate SBOM generation into CI/CD pipelines so artifacts are produced automatically at build time
-
Deliver SBOMs to customers in required formats (CycloneDX, SPDX) on agreed cadences
-
Track third-party component updates, license changes, and EOL status across the product portfolio
Secure CI/CD and DevSecOps integration
-
Work with platform and DevOps engineers to integrate security tooling into build pipelines
-
Deploy and maintain source code static analysis tools (e.g. Coverity, Clang Static Analyzer) and binary analysis tools (e.g. Binwalk, Finite State, Binary Ninja) — selecting the right tool for the analysis context
-
Implement and manage code signing and binary signing workflows for firmware and software releases, including key management and certificate lifecycle
-
Define and enforce security gates in the pipeline — builds that introduce new critical findings do not ship
-
Support secret scanning, dependency checking, and licence compliance tooling in CI
-
Maintain reproducible, containerised analysis environments so tooling runs consistently across dev, CI, and ad-hoc investigation contexts
Firmware and hardware security analysis
-
Perform or coordinate binary firmware analysis using tools such as Binwalk, Ghidra, Binary Ninja, and Finite State to identify vulnerabilities, hardcoded credentials, and insecure configurations
-
Conduct or support source code security review of C/C++ and embedded codebases, identifying memory safety issues, unsafe function usage, and logic flaws
-
Assess hardware debug interfaces (UART, JTAG, SWD) for exposure and insecure defaults; document findings and work with hardware engineers on mitigations
-
Evaluate boot security: secure boot, chain-of-trust, and firmware signing enforcement
-
Identify and triage vulnerabilities specific to cellular module threat models — baseband exposure, AT command surface, modem firmware, and OTA update security
-
Produce structured technical findings reports from firmware and hardware analysis, suitable for engineering remediation and customer-facing disclosure where required
Reporting and automation
-
Write Python scripts and tooling to automate vulnerability report generation for customer delivery
-
Build and maintain containerised analysis workflows that can be run reliably across different environments
-
Produce clear, accurate security reports suitable for both technical and non-technical customer contacts
-
Maintain dashboards and metrics for internal tracking of vulnerability status across the product portfolio
Customer and cross-functional support
-
Produce technical security data packages — SBOMs, VEX documents, and scan results — for customer delivery
-
Provide technical input to penetration test scoping and support findings review
-
Work with firmware and software engineers to communicate vulnerability findings clearly and track remediation
-
Ensure outputs (SBOMs, VEX documents, reports) meet the technical requirements of CRA
Required qualifications
-
3+ years in a product security, application security, or security engineering role
-
Hands-on Python development — you write scripts and tooling, not just configure dashboards
-
Practical experience with SBOM formats (CycloneDX, SPDX) and VEX
-
Working knowledge of CVE, CVSS, and vulnerability triage methodology
-
Experience with container-based workflows — building, running, and debugging containers (Docker, Podman)
-
Familiarity with CI/CD systems (Jenkins, Bitbucket Pipelines, Gerrit, or similar) and integrating security tooling into pipelines
-
Experience with source code static analysis tools (e.g. Coverity, Clang Static Analyzer) — able to tune rules, review findings, and distinguish true positives from noise
-
Hands-on experience with binary firmware analysis tooling — Binwalk for unpacking and filesystem extraction, Ghidra or Binary Ninja for reverse engineering and disassembly
-
Practical understanding of hardware debug interfaces: UART, JTAG, and SWD — what they expose, how to assess them, and how to advise on hardening
-
Understanding of code signing, certificate management, and PKI as applied to firmware or software releases
-
Strong written communication — you will author documents that go directly to customers
Preferred qualifications
-
Experience in an embedded systems, firmware, or hardware product company — cellular, IoT, or industrial preferred
-
Familiarity with cellular module threat models: AT command attack surface, baseband firmware, SIM/eSIM security, and OTA update mechanisms
-
Experience with Finite State or similar commercial firmware security analysis platforms
-
Reverse engineering experience with Ghidra, Binary Ninja, or IDA Pro — able to navigate disassembly and identify security-relevant code paths
-
Experience testing or assessing hardware debug interfaces (UART, JTAG, SWD) in a lab setting
-
Knowledge of EU Cyber Resilience Act requirements and obligations
-
Experience with Dependency-Track, Grype, Syft, or similar open-source vulnerability management platforms
-
Exposure to OpenVEX or other machine-readable VEX formats
-
Understanding of firmware supply chain security concepts (SLSA, sigstore, reproducible builds)
-
Relevant certifications: GREM, GPEN, CSSLP, CompTIA Security+, or similar — firmware/hardware focus preferred
-
Comfortable in a lab environment — able to work with hardware, connect to debug interfaces, and run tooling on physical devices
What success looks like
30 days -
Understand our product portfolio, component stacks, and current SBOM coverage. Identify the largest gaps in our CVE triage process.
90 days -
Vulnerability management tooling deployed. SBOM generation automated for at least a subset of product lines. First VEX documents delivered to customers.
6 months -
Security gates active in CI/CD. Binary signing integrated. All active products have maintained SBOMs. CVE triage running as a steady-state program rather than reactive firefighting.
12 months -
Full product security tooling stack operational and producing consistent outputs. Customer SBOM and VEX delivery running as a steady-state automated program. Product security posture measurably improved and demonstrable through data.