The Role
Owner of product and digital security across embedded, cloud, and supply chain. Lead CRA/NIS2/Machinery Regulation readiness, embed secure development lifecycle, run PSIRT/CVD/SBOM processes, perform threat modeling and code reviews, harden systems, mentor engineers, and report security posture to leadership.
Summary Generated by Built In
Gravis Robotics is a startup turning heavy construction machines into intelligent and autonomous robots. Our unique combination of learning-based automation and augmented remote control enables a single operator to safely manage a fleet of earthmoving machines in a gamified environment. With over a decade of academic experience at the cutting edge of large-scale robotics, our team is rapidly translating this expertise into real-world deployments with industry leaders in a trillion-dollar market.
About the RoleAt Gravis, we operate at the intersection of hardware, software, and real-world deployment. Our Rooftop Autonomous Control Kit (RACK) integrates sensing, compute, communication, and networking into a manufacturer-agnostic solution deployable across a wide range of construction machines.
As Cybersecurity Engineer at Gravis, you will own our digital security development across the full product lifecycle; from the embedded software stack inside the RACK hardware to our cloud infrastructure and supply chain. You will be the company's expert voice on EU Cyber Resilience Act (CRA) readiness. You will lead the security development lifecycle and embed security into our development processes from day one, mentoring the development team on best practices. As a member of the safety team, you will act as the trusted partner across engineering, product, legal, and operations. This is a high-impact individual contributor role with the mandate to build a security function as Gravis scales globally.
What You Will Do
- Lead CRA readiness for Gravis products with digital elements: scoping, product classification, gap
assessments against essential requirements, risk analysis, control design, and remediation
roadmaps - Translate CRA, NIS2, and Machinery Regulation requirements into actionable control frameworks
and policies; map to ISO 27001/27002/27036, NIST CSF, NIST SP 800-161, NIST SSDF, CIS
Controls, and OWASP - Maintain comprehensive technical documentation to support conformity assessments, CE marking, and engagement with Notified Bodies
- Stay current on emerging threats, regulatory changes, and best practices in product security,
supply chain security, and GRC - Establish and mature product security capabilities: secure development lifecycle, secure update
processes, vulnerability handling, coordinated vulnerability disclosure (CVD), PSIRT setup and
operations, SBOM generation, management, and vulnerability triage - Conduct risk assessments and threat modelling for products and suppliers; define mitigation
strategies, metrics, and KPIs - Participate in incident and alert response reviews; propose and implement improvement actions
- Assess and improve the security hardening of enterprise and embedded solutions
- Write secure code for critical system components in C, C++, Python, and/or Rust
- Conduct manual and automated code reviews with a strict focus on security vulnerabilities (OWASP Top 10, CWE)
- Define and enforce secure coding guidelines and SAST/DAST tooling across engineering teams
- Mentor and upskill engineers on secure development best practices
- Collaborate cross-functionally with security, engineering, product, operations, legal, and compliance teams; facilitate workshops and drive change
- Produce clear, high-quality deliverables: assessment reports, control designs, implementation
plans, policies, process maps, and training materials - Regularly monitor and report on security metrics, security posture, and compliance status to
management. - Explain complex security topics clearly to both technical and non-technical stakeholders
Regulatory & Compliance
Product Security
Secure Engineering
Collaboration & Communication
Required Qualifications
- 3+ years of security experience with direct focus on EU regulatory compliance (CRA, NIS2,
Machinery Regulation) and GRC - Strong familiarity with industrial or embedded cybersecurity standards, particularly IEC 62443
- Broad knowledge of security frameworks — ISO 27001, NIST CSF, NIST SP 800-161, NIST SSDF,
CIS Controls, OWASP — including control mapping and tailored implementation - Demonstrable experience establishing product security capabilities (PSIRT, CVD, SBOM, secure
development/update pipelines) in a product or software organisation - Proficiency writing secure code in one or more of: C, C++, Python, Rust
- Experience conducting manual and automated code reviews focused on identifying security
vulnerabilities - Deep understanding of common vulnerability classes (OWASP Top 10, CWE) and proven mitigation strategies
- Strong written and verbal communication skills; comfortable engaging both engineers and
executives
Nice To Have
- Relevant cybersecurity certifications: CISSP, CISM, CISA, CRISC, ISO 27001 Lead
Implementer/Auditor, CCSK, or CCSP - Practical experience with conformity assessments, technical documentation, and CE marking
processes - Experience with penetration testing and vulnerability assessments
- Hands-on experience with SAST and DAST tooling
- Experience engaging with Notified Bodies through the conformity assessment process
- Knowledge of cryptography, secure boot processes, and secure over-the-air (OTA) update
mechanisms - Background in industrial automation, robotics, or embedded systems environments
Don't meet every requirement? If you're enthusiastic about this role but your experience doesn't match
every qualification, we still encourage you to apply. You might be the perfect candidate for this or other
positions.
every qualification, we still encourage you to apply. You might be the perfect candidate for this or other
positions.
This is an opportunity to join a dynamic and versatile team, and to be part of a young startup that will
revolutionize heavy construction. Gravis Robotics offers a fair market salary and a working location in the vibrant city of Zurich. As a forward-facing startup, we understand that work-life balance and flexibility are important considerations for many professionals: If you are a highly qualified candidate with the requisite skills and experience, we encourage you to apply and discuss your preferred working arrangement during the interview process.
revolutionize heavy construction. Gravis Robotics offers a fair market salary and a working location in the vibrant city of Zurich. As a forward-facing startup, we understand that work-life balance and flexibility are important considerations for many professionals: If you are a highly qualified candidate with the requisite skills and experience, we encourage you to apply and discuss your preferred working arrangement during the interview process.
Gravis is an equal opportunity employer. We are committed to building an inclusive and diverse team, and do not discriminate based upon race, color, ancestry, national origin, religion, sex, sexual orientation, age, gender identity, gender expression, disability, veteran status, or other legally protected characteristics.
We are an international team that is working to solve problems with a global impact: to facilitate efficient
communication and collaboration, proficiency in English is a requirement for all roles.
communication and collaboration, proficiency in English is a requirement for all roles.
Skills Required
- 3+ years security experience focused on EU regulatory compliance (CRA, NIS2, Machinery Regulation) and GRC
- Familiarity with industrial/embedded cybersecurity standards, particularly IEC 62443
- Broad knowledge of ISO 27001, NIST CSF, NIST SP 800-161, NIST SSDF, CIS Controls, and OWASP with control mapping experience
- Experience establishing product security capabilities (PSIRT, CVD, SBOM, secure update pipelines)
- Proficiency writing secure code in one or more: C, C++, Python, Rust
- Experience conducting manual and automated code reviews focused on security vulnerabilities
- Deep understanding of common vulnerability classes (OWASP Top 10, CWE) and mitigations
- Strong written and verbal communication skills; comfortable engaging engineers and executives
- Relevant cybersecurity certifications (CISSP, CISM, CISA, CRISC, ISO 27001 Lead, CCSK, CCSP)
- Practical experience with conformity assessments, technical documentation, and CE marking processes
- Experience with penetration testing, vulnerability assessments, and SAST/DAST tooling
- Experience engaging with Notified Bodies through conformity assessment
- Knowledge of cryptography, secure boot, and secure over-the-air (OTA) update mechanisms
- Background in industrial automation, robotics, or embedded systems environments
Am I A Good Fit?
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.
Success! Refresh the page to see how your skills align with this role.
The Company
What We Do
Developing autonomy for heavy machinery to automate an industry with a slowly rising productivity and a global labour shortage
