# Lead Security Engineer

**Company:** [Alembic](https://hotfix.jobs/companies/alembic-2)
**Location:** San Francisco, CA
**Role:** Security Engineering
**Salary:** $210k – $240k/yr
**Experience:** 8+ years
**Skills:** Kubernetes, Linux, Edr, Ids/Ips, SIEM, OIDC, SAML, Mtls, Terraform, Ansible, Python
**Posted:** 2026-07-01

> Lead Security Engineer to own end-to-end system, network, and host security for an on-prem Kubernetes-based AI factory. Design controls, lead incident response, balance open culture with IP/customer data protection; requires 8+ years security engineering with deep Kubernetes, on-prem, and incident experience.

## Job Description

## Responsibilities
- Design and implement security controls across all environments — network segmentation and firewalling, IDS/IPS, and traffic analysis on our on-prem Kubernetes platform.
- Build and enforce host security: EDR, kernel telemetry, hardening, and baseline implementation across the fleet.
- Own identity and access — AuthN/AuthZ, RBAC, and service identity — grounded in OIDC, SAML, and mTLS.
- Stand up incident-detection pipelines (SIEM, metrics, endpoint telemetry) tuned to surface high-signal threats over noise.
- Lead incident response end to end: triage, containment, recovery, root-cause analysis, and forensics.
- Keep the focus on enablement over restriction — effective security, not compliance for its own sake — while balancing IP protection, customer-data protection, and broad internal information sharing.
- Partner with Legal and the CISO to obtain the compliance certifications we need and to answer customer questions about the security of our systems.
- Hire and mentor as the security function grows.

## Requirements
- 8+ years in security engineering, infrastructure, or related roles.
- Strong Linux system security and networking (SSH certificates, directory-based authentication).
- Strong Kubernetes security (RBAC, tenant isolation, admission control).
- Real experience securing on-prem environments, not only public cloud.
- Proven track record leading real-world incidents, with familiarity with attacker techniques (lateral movement, persistence, exfiltration).
- Hands-on depth in EDR, IDS/IPS, and SIEM.
- Strong command of OIDC, SAML, mTLS, and cryptography-based storage security.
- Comfort writing code, automation, and tooling in Python or similar.
- Configuration management via IaC (Terraform, Ansible).
- The judgment to distinguish high-signal threats from noise, make pragmatic tradeoffs in a fast-moving company, and communicate effectively with technical stakeholders.

## Nice-to-Haves
- High-performance or distributed-compute experience (HPC, GPU clusters).
- Identity-aware proxies or zero-trust architectures.
- Offensive security (red teaming, exploit development).
- Secure application development and secure-code training.
- Responsible-disclosure/bug-bounty programs.
- AI controls, MCP security, agent security, and AI governance.
- Background in corporate IT security.

## Similar roles

- [Third Party Risk Management and Customer Trust Lead](https://hotfix.jobs/jobs/a02101ec-ba56-4b5e-846a-a8202503f128) - Replit - Foster City, CA - $210k – $270k/yr
- [Sr. Engineering Manager, Application Security](https://hotfix.jobs/jobs/aafc2a7e-e3fc-48d4-8b51-63c09c589066) - Betterment - New York, NY - $210k – $250k/yr
- [Senior Software Engineer, Fraud](https://hotfix.jobs/jobs/b8f1b1fc-f154-404f-b6b9-43b54c2c57d9) - Replit - Foster City, CA - $210k – $265k/yr
- [Senior Software Engineer, Risk](https://hotfix.jobs/jobs/d80316cf-96fe-4f12-b18f-15c35c59537a) - Replit - Foster City, CA - $210k – $265k/yr
- [Senior Software Engineer, Trust & Safety](https://hotfix.jobs/jobs/8e2a2866-a5d6-4d0b-8fb7-fea83c084a45) - Replit - Foster City, CA - $210k – $265k/yr

**Apply:** https://hotfix.jobs/jobs/e762b76c-17f9-47e7-a810-209649f33103
**Canonical:** https://hotfix.jobs/jobs/e762b76c-17f9-47e7-a810-209649f33103