Lead AI Security Engineer

Transporeon is a SaaS company founded in 2000 in Ulm, Germany. The company provides logistics solutions across several areas, including:

• Buying & selling of logistics services

• Organizing shipment execution

• Organizing dock, yard, truck, and driver schedules

• Invoice auditing for logistics services

It has grown significantly over the years, reaching €150m in revenue before being acquired by Trimble for $2 billion USD in 2022. Transporeon has one of the largest networks of shippers and carriers in Europe, with approximately 1,400 employees:

Lead the design and implementation of a defense-in-depth security framework for Model Context Protocol (MCP) servers and related agent ecosystems. Own enforceable scopes, egress control, and observability patterns that protect internal and customer data while preserving developer velocity. Operate as a Lead/Specialist: working independently, leading others to solve complex problems, and applying specialized expertise to influence product, platform, and policy decisions. This is a hands-on role: you will design, code, test, and ship production-grade security components and reference implementations.

Join a lean Center of Excellence within the Applied AI Safety & Enablement group. We partner closely with other Trimble security and platform teams on identity, gateway policy, and secure remote deployment. We also collaborate with AI agent development teams on governance and AI-specific safeguards. The charter: standardize secure MCP deployment and operations across Trimble, starting with highest‑risk scenarios and expanding via quick wins and reusable reference architectures.

• Architect, implement, and maintain a secure ingress pattern for remote MCP (Model Context Protocol )servers behind an authenticated gateway, including policy enforcement, request logging, rate limiting, and abuse detection.

• Define and implement scope-based authorization aligned to OAuth2/OIDC, including audience validation and JWKS discovery, with progressive adoption of enforceable scopes at the auth server.

• Build or be able to adapt to egress controls and telemetry for remote and local/stdio MCP servers, including developer-friendly proxies, tagging, and baseline logging.

• Ship and maintain production-ready reference implementations and hardened templates for Kubernetes-based deployments that product teams can adopt with minimal friction.

• Integrate static and supply-chain scanning into CI for MCP servers. Automate checks in registration and deployment pipelines.

• Partner with agent teams to align tool metadata linting, scope-to-tool mapping, and safety checks at the agent and gateway layers.

• Build and maintain vetted libraries, CLIs, shims, and middleware for token validation, scope evaluation, logging, and egress controls.

• Lead cross-functional technical design with other Trimble security and platform teams to make the MCP gateway a first-class platform capability, including consent flows and registration in API Cloud.

• Define policy-as-code for authorization, quotas, and abuse prevention. Measure effectiveness via auditability, adoption, and time-to-onboard metrics.

• Publish developer guidance and guardrails for remote and local MCP scenarios. Provide vetted libraries and patterns for token validation, scope evaluation, and logging.

• Triage and reduce top security risks first: high-impact data exfiltration, prompt-injection exposure at the agent boundary, and unobserved egress from local servers.

• Operate as a Lead/Specialist: interpret internal and external challenges, recommend best practices, and lead others to solve complex problems with minimal oversight.

• Influence platform roadmaps to enable enforceable scopes and centralized routing while maintaining clear separation of concerns between discovery, policy enforcement, and deployment.

• Write and review code for gateways, policy enforcement, developer tooling, and integrations. Contribute high-quality code, tests, and documentation while leading technical direction.

• Deep hands-on expertise with OAuth2/OIDC, scopes, consent, and token validation patterns. Experience evolving toward enforceable scopes at the authorization server.

• Understanding Kubernetes architecture and platform engineering fundamentals, including container security, service identity, and secret management.

• Understanding of the current agent/MCP ecosystems and AI-specific risks, with a bias for controls at the tool, agent, and layers rather than intrusive network overseers.

• Proficiency in one or more of: Python, TypeScript, .NET, or Java for platform, services, and tooling. Ability to choose the right tool for the component.

• Experience translating security policy into policy-as-code and enforcing it through code-written integrations is a plus.

• Specialized depth in security-focused application development with the ability to lead others on complex issues.

• Works independently, receives guidance only on the most complex situations.

• Communicates difficult concepts, negotiates trade-offs, and influences across teams.

• Interprets business and regulatory challenges to recommend best practices with the ability to explain them to non-technical staff.

How to Apply: Please submit an online application for this position by clicking on the 'Apply Now' button located in this posting.

Application Deadline: Applications could be accepted until at least 30 days from the posting date.

Join a Values-Driven Team: Belong, Grow, Innovate. 

At Trimble, our core values of Belong, Grow, and Innovate aren't just words—they're the foundation of our culture. We foster an environment where you are seen, heard, and valued (Belong); where you have an opportunity to build a career and drive our collective growth (Grow); and where your innovative ideas shape the future (Innovate). We believe in empowering local teams to create impactful strategies, ensuring our global vision resonates with every individual. Become part of a team where your contributions truly matter. 

Trimble's Privacy Policy

If you need assistance or would like to request an accommodation in connection with the application process, please contact