# Cloud Security Engineer

**Company:** [Braintrust](https://hotfix.jobs/companies/braintrust)
**Location:** New York, NY, Seattle, WA, New York
**Role:** Security Engineering
**Experience:** 5+ years
**Skills:** AWS, Terraform, Kubernetes, Python, TypeScript, Go, Azure, GCP, IAM, Guardduty, Cloudtrail, Kms, Vpc, SOC 2, ISO 27001
**Posted:** 2026-05-07

> Hands-on Cloud Security Engineer owning security architecture across AWS, Azure, and GCP, hardening Kubernetes and Terraform stacks, building detections, and leading incident response for multi-cloud infrastructure.

## Job Description

## What you'll do
- Own the security architecture for our internal AWS environment and the customer-deployed stacks running in AWS, Azure, and GCP
- Write Terraform modules and policy code that make the secure path the default path for every team shipping infra
- Harden our Kubernetes footprint: admission controllers, network policies, workload identity, runtime detections, secrets handling
- Build and tune detections across cloud control planes, identity providers, and workload telemetry; own the alert pipeline end-to-end and keep signal-to-noise high
- Help run incident response when something fires, and turn every incident into durable controls and codified runbooks
- Help push cloud compliance initiatives
- Partner with customers in Slack on self-hosting, network architecture, key management, and tenancy questions
- Use agentic coding workflows to automate the repeatable parts of security work: control validation, evidence collection, drift detection, and IR triage

## Ideal candidate credentials
- 5+ years in cloud security, infrastructure security, or security engineering with a heavy hands-on bent — you ship code and configuration, not just policy
- Deep AWS expertise (IAM, VPC, KMS, GuardDuty, CloudTrail) and working fluency in at least one of Azure or GCP
- Strong Terraform skills and a track record of making security guardrails the default in IaC pipelines
- Production Kubernetes security experience: you've run admission controllers, debugged a cluster compromise, or written a network policy that mattered
- Proficient in modern backend technologies and comfortable writing real code in **Python**, **TypeScript**, or **Go**
- Production incident response experience; you've owned a real incident end-to-end and made the next one less painful
- Familiarity with one or more compliance regimes (**SOC 2**, **ISO 27001**, **HIPAA**, **FedRAMP**) and the discipline to make them work without becoming busywork
- Active user of agentic coding tools, with a clear point of view on how AI is changing security engineering — both offense and defense

**Bonus:** experience securing self-hosted enterprise software, multi-tenant SaaS, or LLM-heavy workloads (data exfiltration via prompts, model proxy abuse, agent sandboxing)

## Similar roles

- [Security Program Manager](https://hotfix.jobs/jobs/e7f7fcaf-1979-4194-9131-83689809fe47) - Forus - New York, NY
- [Safeguards Enforcement Analyst, Account Takeover & Credential Abuse](https://hotfix.jobs/jobs/31f5d0ec-9b31-4419-a4b1-2e826ec7a358) - Anthropic - San Francisco, CA - $245k – $285k/yr
- [Application Security Engineer](https://hotfix.jobs/jobs/d240253e-6098-4419-8f04-aaf793f42c03) - Zocdoc - Remote - $100k – $140k/yr
- [Detection & Mitigation Engineer](https://hotfix.jobs/jobs/61def9c4-f4a5-41a5-99c6-579a61033a73) - Cloudflare
- [Security & Compliance Operations Manager](https://hotfix.jobs/jobs/90ac6643-526f-4aeb-bb4f-d71bc1af1fcd) - Mintlify - San Francisco, CA - $120k – $180k/yr

**Apply:** https://hotfix.jobs/jobs/7a44d69b-14e0-4a41-a704-da25e69a2707
**Canonical:** https://hotfix.jobs/jobs/7a44d69b-14e0-4a41-a704-da25e69a2707