Senior technical owner building secure-by-default infrastructure, IaC modules, policy-as-code guardrails, and CI/CD security tooling for cloud and platform engineering teams.
160k – 240k
On-site7+ YOESecurity Engineering
About the role
What you'll do
Build the secure defaults: Infrastructure-as-Code modules, CI/CD pipeline templates, internal libraries, and golden-path scaffolding that make the secure choice the easy choice.
Engineer guardrails as code — policy-as-code (OPA/Conftest), admission controllers, cloud guardrails (SCPs / org policy), and pre-commit and CI checks — so the insecure path is blocked or flagged automatically.
Own the platform security tooling that other teams consume, so they don't have to build their own; replace recurring manual work with durable, self-service mechanisms.
Embed security into the software and infrastructure supply chain: pipeline security, build/artifact integrity, dependency and container scanning, and secrets management.
Engineer workload and service identity controls (least privilege, short-lived credentials, federated trust) so zero-standing-privilege is real and observable.
Write and maintain production-quality code and infrastructure that backs these controls.
Partner with platform, infrastructure, and product engineering teams early — review high-blast-radius designs against the internal Security Engineering standard while the design can still change, and turn recurring findings into a missing paved road, not just another fix.
Set technical direction and standards for secure-by-default; document them so they can be applied without us, and mentor and raise the bar for other engineers.
Required qualifications
Extensive experience in security engineering, platform/infrastructure engineering, DevSecOps, or a closely related field, with a track record of owning complex systems end-to-end.
Strong software engineering ability — you write, review, and ship production-quality code (any modern language) and treat infrastructure as software.
Hands-on experience building secure-by-default mechanisms: Infrastructure-as-Code, CI/CD pipeline security, and policy/guardrails as code.
Deep working knowledge of at least one major cloud provider and its security and identity model.
Demonstrated ability to design durable, automated solutions that reduce real risk without becoming a bottleneck — and to make explicit tradeoffs between security and the business.
Strong communication: you can explain a security concept to a product engineer in their language and to a leader in business terms, and you write recommendations people can act on.
Preferred qualifications
Strong DevSecOps background with hands-on Kubernetes (admission control, OPA/Gatekeeper, workload identity) and Terraform (reusable secure modules, policy-as-code).
Production coding experience in Go, Python, and/or Rust; comfortable with scripting/automation in Bash and PowerShell.
Depth in Azure security and identity (Entra ID, Azure Policy, Management Group guardrails).
Experience securing AI/ML systems, pipelines, or workloads.
Offensive security / red team experience, with the ability to think like an attacker and translate those findings into stronger defaults and guardrails.
Experience with supply-chain security (SLSA, sigstore/cosign, SBOMs), container/image hardening, and secrets management.
Experience operating security tooling as an internal product consumed self-service by other engineering teams.
Bachelor's degree or equivalent professional certification and experience.
Skills
KubernetesTerraformOpaGoPythonRustAzureEntra IdAWSGCPCI/CDInfrastructure As CodePolicy As CodeDevSecOps
Technical lead performing advanced offensive security work including full-stack pentesting, red team operations, custom exploit development, AI/LLM red teaming, and bug bounty management. Requires 7-10 years experience, deep expertise in MITRE ATT&CK and OWASP, and proficiency with industry tools and scripting.
156k – 229k
Remote7+ YOESecurity Engineering
Staff GRC Engineer
ezCaterUnited States
Senior individual contributor leading GRC program maturity, control automation, data security governance, and AI governance for a SaaS food tech platform. Requires 8+ years in security compliance with strong automation and cross-functional influence skills.
165k – 210k
Remote8+ YOESecurity Engineering
Staff Cloud Security Engineer
HuntressUnited States
Designs and implements secure cloud architectures for AWS and Azure, integrates security into DevSecOps pipelines, manages vulnerabilities, and leads threat detection/response for a B2B SaaS cybersecurity platform. Requires deep cloud expertise and SaaS production security experience.
165k – 193k
RemoteSecurity Engineering
Sr. Staff System Security Engineer
Shield AIDallas, TX +1
Lead cybersecurity strategy, architecture, and RMF execution for complex defense aircraft, mission systems, networks, and infrastructure. Requires 8+ years in cybersecurity for integrated defense platforms, strong RMF/STIG knowledge, and cross-functional integration skills.
170k – 250k
On-site8+ YOESecurity Engineering
Staff IAM Engineer
IroncladSan Francisco, CA
Own security-critical identity and corporate security controls, managing IAM platforms, SSO/MFA integrations, RBAC policies, and endpoint trust for macOS/Windows environments.