Cloud Security Engineer

What you'll do

• Own the security architecture for our internal AWS environment and the customer-deployed stacks running in AWS, Azure, and GCP
• Write Terraform modules and policy code that make the secure path the default path for every team shipping infra
• Harden our Kubernetes footprint: admission controllers, network policies, workload identity, runtime detections, secrets handling
• Build and tune detections across cloud control planes, identity providers, and workload telemetry; own the alert pipeline end-to-end and keep signal-to-noise high
• Help run incident response when something fires, and turn every incident into durable controls and codified runbooks
• Help push cloud compliance initiatives
• Partner with customers in Slack on self-hosting, network architecture, key management, and tenancy questions
• Use agentic coding workflows to automate the repeatable parts of security work: control validation, evidence collection, drift detection, and IR triage

Ideal candidate credentials

• 5+ years in cloud security, infrastructure security, or security engineering with a heavy hands-on bent — you ship code and configuration, not just policy
• Deep AWS expertise (IAM, VPC, KMS, GuardDuty, CloudTrail) and working fluency in at least one of Azure or GCP
• Strong Terraform skills and a track record of making security guardrails the default in IaC pipelines
• Production Kubernetes security experience: you've run admission controllers, debugged a cluster compromise, or written a network policy that mattered
• Proficient in modern backend technologies and comfortable writing real code in Python, TypeScript, or Go
• Production incident response experience; you've owned a real incident end-to-end and made the next one less painful
• Familiarity with one or more compliance regimes (SOC 2, ISO 27001, HIPAA, FedRAMP) and the discipline to make them work without becoming busywork
• Active user of agentic coding tools, with a clear point of view on how AI is changing security engineering — both offense and defense

Bonus: experience securing self-hosted enterprise software, multi-tenant SaaS, or LLM-heavy workloads (data exfiltration via prompts, model proxy abuse, agent sandboxing)