About the role
We're looking for a PM who can balance the constant tension between security and developer experience at platform scale. Every control you add is friction a developer has to absorb, and every default you loosen is a door an attacker could walk through. Finding the right balance between protecting customers and keeping them fast is the work of this role.
You'll partner with Security Engineering, Compliance, and the platform teams that own auth, networking, and audit.
This is a remote position and we're open to considering candidates located across EMEA and AMER time zones.
In This Role You Will
Set the security agenda for the platform. Lead Supabase's platform security roadmap end-to-end, from the defaults that protect a developer prototyping their first project to the advanced controls a Fortune 500 CISO needs before approving us.
Hold the line between security and developer experience. Every security feature trades protection against friction. A control that's too strict pushes developers off the platform; one that's too easy to bypass doesn't protect anyone.
Lead our security strategy for AI agents. Agents now read, write, and deploy on behalf of developers and companies, often at machine speed. You'll lead how Supabase authenticates, scopes, and audits agent activity so customers can give them real capability while staying in control of their data.
Own our security product surface. Drive the roadmap for the security tooling customers use to operate safely on Supabase: firewall, security advisors, audit logs, Supabase Vault, just-in-time database access, and the IAM primitives that let regulated customers get to "yes" with their security team.
Define the unified access model across Supabase. Roles, permissions, personal access tokens, OAuth integrations, organization and project modeling, SSO, and SCIM are foundational to how customers manage who can do what. You'll set the strategy that ties them together and drive the cross-cutting RFCs from proposal to shipped code.
Drive the compliance roadmap. Supabase already runs a strong compliance program with SOC2 and HIPAA in place. Your job is to define what comes next so more regulated companies can adopt us.
Be the customer's voice for security. Talk to enterprise prospects, regulated customers, and the security teams behind them. Translate what you hear into a roadmap that earns trust at every customer size, from the indie hacker prototyping their first project to the Fortune 500 CISO evaluating us for their most regulated workloads.
Ship the docs that go with the code. Make the security guides on supabase.com the best in the category: clear, opinionated, and trustworthy enough that a developer evaluating us comes away convinced.
You Might Be a Good Fit If You
Have 7+ years in product management, with serious time on security, identity and access, infrastructure, or developer platform products at a company where security mattered to enterprise buyers.
Have deep working knowledge of the security primitives our customers use like authentication, authorization (RBAC, RLS), audit logging, secrets management, OAuth.
Have a track record of leading cross-functional initiatives across Product, Engineering, Security, GTM, and Compliance, and driving multi-team RFCs from proposal to shipped code.
Are 100% comfortable in a remote, async, write-it-down culture.
Are an exceptional writer. You can draft a customer-facing security disclosure, an internal threat model, a docs page, or a one-pager for a CISO without losing voice or precision.
Nice to have
Compliance fluency. You've worked alongside auditors and security teams on programs like SOC2, HIPAA, ISO 27001, PCI, or FedRAMP, and you can tell which requirements are real customer needs and which are checkbox theater.
Technical depth in Postgres, auth systems, or networking primitives.
Experience designing access models for AI agents or other automated systems.
Shipped security features that enterprise CISOs had to approve before adoption.