Lead Platform Engineer - Software Supply Chain Security Platform

About Qorsa

Qorsa Corp is a Canadian post-quantum cryptography and cybersecurity company building CasQade - a crypto-agile security platform designed to protect sovereign government, defence, financial, and critical infrastructure networks against current and emerging cryptographic threats. We are headquartered in Waterloo, Ontario, with a European subsidiary in The Hague, Netherlands. Our work spans post-quantum cryptography, cryptographic agility, hardware security, distributed systems, and AI-driven threat intelligence.

Job Summary

We are seeking a lead platform engineer to architect and ship a new enterprise SaaS platform in the software supply chain security space. This platform automates the generation, cryptographic signing, policy enforcement, and compliance packaging of Software Bills of Materials (SBOMs) for European and North American enterprises preparing for the EU Cyber Resilience Act and related regulatory obligations. The platform integrates Qorsa's post-quantum cryptographic signing capabilities to deliver the only PQC-native SBOM integrity solution on the market.

This is a founding engineering role. You will design the platform architecture from an empty repository, select the technology stack, define API contracts and service boundaries, and ship to production enterprise customers by December 2026. You will lead a small, focused engineering team across parallel workstreams while personally writing code on the most architecturally sensitive components. The role is hands-on and leadership in equal measure - you set the technical standards for the team and ensure what ships is production-grade.

This role reports directly to the Chief Quantum Officer and carries significant influence over the technical direction, product roadmap, and engineering culture of a platform targeting major enterprise contracts in a category that effectively does not exist today.

Responsibilities

• Architect the complete platform from scratch: service boundaries, data models, API contracts between workstreams (SBOM generation pipeline, PQC signing integration, policy engine, compliance export, supply chain graph, enterprise dashboard), technology stack selection, and infrastructure design.
• Write production code on the most architecturally consequential components - supply chain graph schema design, policy engine evaluation model, and the integration layer with Qorsa's CasQade post-quantum signing API.
• Manage seven co-op engineers across six parallel workstreams. Define sprint cadence, code review standards, and integration checkpoints. Conduct regular one-on-ones. Identify underperformance early and reassign workloads before deadlines slip.
• Mentor junior engineers to bridge the gap between co-op-quality and production-quality code - error handling, logging, observability, security boundaries, graceful degradation, and documentation standards.
• Own end-to-end integration of all workstreams. Define and enforce interface contracts between services. Drive integration testing from September onward. Personally debug cross-boundary failures.
• Design and implement the SBOM generation orchestration layer that dispatches to CycloneDX tooling across multiple package ecosystems (npm, pip, Maven, Go modules), validates output, normalises data, and feeds it into the signing pipeline.
• Own production readiness: deployment automation, infrastructure-as-code, monitoring, alerting, incident response procedures, and operational documentation for enterprise deployment.
• Ensure the platform meets enterprise security standards: SSO/SAML authentication, role-based access control, audit trails, data encryption at rest and in transit, API rate limiting, and compliance with EU data residency requirements.
• Collaborate with the CQO and co-founders on product direction, feature prioritisation, and scope management. You will have the authority and the responsibility to say no to feature requests that threaten the December 2026 ship date.

Qualifications

• 5+ years of software engineering experience with at least 2 years in a technical leadership or senior individual contributor role. Has architected and shipped at least one production platform or product (not just features on an existing system) that serves real users or customers.
• Strong backend systems experience in Go (strongly preferred), Python, or TypeScript. Go is the primary language for the platform's backend services and the integration layer with Qorsa's cryptographic signing infrastructure.
• Production experience with PostgreSQL or equivalent relational databases - schema design, query optimisation, indexing strategy, and data modelling for systems that evolve under load.
• Experience building or integrating with CI/CD systems (GitHub Actions, GitLab CI, Jenkins) at the plugin or extension level, not just as a user of pipelines.
• Experience with Docker and Kubernetes for containerised deployment of multi-service platforms.
• Has managed, mentored, or technically led junior engineers - ideally in a high-velocity, greenfield context where you were responsible for both the architecture and the team's output.
• Comfort operating without a detailed product specification for the first 2-3 months. You will work closely with the co-founders to translate regulatory requirements and market needs into engineering specs.
• Strong written and verbal communication. Architecture decisions will be documented and defended. Code reviews will teach, not just gatekeep.

Strong Assets

• Experience with software supply chain tooling - SBOM generation, dependency analysis, software composition analysis, code signing, or provenance verification.
• Familiarity with CycloneDX, SPDX, or Sigstore/Cosign ecosystems.
• Experience building enterprise SaaS platforms with multi-tenant architecture, SSO/SAML integration, and role-based access control.
• Experience with compliance or regulatory software - platforms that produce audit-ready documentation for regulated industries.
• Understanding of cryptographic operations at an integration level - signing, verification, certificate chains, and key management. You do not need to be a cryptographer, but you must understand how to integrate a signing API correctly and reason about the trust model.
• Experience with graph data models or graph-structured relational schemas for modelling dependency relationships.
• Familiarity with the EU Cyber Resilience Act, DORA, NIS2, or comparable regulatory frameworks.
• Previous startup experience, particularly as an early engineering hire or founding engineer.

Compensation

• Base salary as displayed.
• Equity participation in the platform entity, structured to reflect the founding nature of the role. Details discussed in the interview process.
• Standard benefits and vacation.

Timeline

This role is urgently hiring. The ideal start date is late-April 2026 or earlier.

Pay: $120,000.00-$170,000.00 per year

Work Location: In person