Skip to content
CrusoeCrusoeSan Francisco, CA

Principal Infrastructure Security Engineer

Lead security architecture for Crusoe's AI cloud infrastructure, driving zero-trust adoption, workload identity, supply chain security, and hardware-to-software protections at hyperscale. Requires 12+ years infrastructure security experience at a major cloud provider.

280k – 330k
On-site12+ YOESecurity Engineering

About the role

What You’ll Be Working On

Platform Security Services

  • Lead the architectural transition to a zero-trust network by driving the adoption of Workload Identity (SPIRE/SPIFFE) and enforcing mutual TLS (mTLS) with encryption, authorization policy enforcement across all service-to-service communications.

Eradicating Static Credentials

  • Architect and deploy Just-in-Time (JIT) access models, ephemeral credentials (PAM), and granular machine identities to systematically eliminate static credentials and API keys across the infrastructure.

Full-Stack Supply Chain Security

  • Architect and enforce security controls across the entire supply chain spectrum: from firmware and bare-metal (hardening BMC administration and establishing verifiable roots-of-trust) up through the hypervisor, VM layer, cloud control plane, and CI/CD build environments (GitLab).

Enterprise Data Security & Secrets Management

  • Drive the technical delivery of highly requested enterprise trust features, including Customer-Managed Encryption Keys (CMEK) and an internal Secrets-as-a-Service platform (Vault-aaS).

Runtime Integrity & Advanced Threat Defense

  • Lead the deployment of host-level controls using eBPF and Falco-class tooling for kernel lockdown, audit expansion, and immutable logging to detect and prevent threats in real-time.

Network & Hardware Isolation

  • Guide the security architecture for SDN 2.0 (OVN sharding per tenant), secure VPC peering, and private connectivity (IPsec VPN, VPC Interface Endpoints) to ensure rigorous tenant isolation without an AI workload performance tax.

Executive Advisory & Prioritization

  • Act as a trusted advisor to leadership, synthesizing ambiguous systemic signals—from endpoint and SaaS risks to deep infrastructure vulnerabilities—into clear engineering action plans and RFCs.

What You’ll Bring to the Team

Requirements

  • 12+ years of experience in infrastructure security, security architecture, or production engineering, with significant tenure at a major cloud provider (e.g., AWS, GCP, Azure) or specialized high-performance computing environment
  • Deep, hands-on architectural expertise with modern identity frameworks (SPIFFE/SPIRE, OIDC, OAuth 2.0) and a proven track record of successfully rolling out mTLS and ephemeral credentialing at scale
  • Strong experience securing public/private build environments, enforcing CI/CD pipeline integrity, and mitigating risks across software, firmware, and hardware supply chains
  • Authoritative knowledge of OS-level security, Linux kernel internals, hypervisor isolation boundaries, and runtime integrity tooling (eBPF, Falco)
  • Proven experience securing bare-metal infrastructure, including Baseboard Management Controller (BMC) hardening, TPMs, Secure Boot, and out-of-band management networks
  • Strong ability to read, review, and write code (Go, Python, Rust, or C/C++) to automate security guardrails and prototype secure systems
  • The rare ability to explain the nuances of hypervisor supply chain risks to an engineer, and the business value of CMEK to executive leadership and enterprise customers
  • Bachelor’s or Master’s degree in Computer Science, Computer Engineering, Cybersecurity, or a related field (or equivalent professional experience)

Nice-to-Haves

  • Direct experience securing massive-scale GPU clusters, LLM training pipelines, or highly sensitive AI datasets
  • Maintainer status or major contributions to CNCF security tools (e.g., SPIFFE/SPIRE, Falco, OPA) or the Linux Kernel
  • Experience partnering with IT security to mitigate endpoint, SaaS (Okta, Google Workspace), and insider risks that bridge the corporate and production boundaries

Benefits

  • Competitive compensation and equity packages
  • Restricted Stock Units
  • Paid time off, paid holidays & leave of absence programs
  • Comprehensive health, dental & vision insurance
  • Employer contributions to HSA account
  • Paid parental leave
  • Paid life insurance, short-term and long-term disability
  • Professional development & tuition reimbursement
  • Mental health & wellness support
  • Commuter benefits (parking & transit)
  • Cell phone stipend
  • 401(k) Retirement plan with company match up to 4% of salary
  • Volunteer time off
  • Global travel insurance & emergency assistance
  • Daily meals allowance

Skills

Spiffe/SpireMtlsZero TrustEbpfFalcoBmc HardeningLinux KernelGoPythonRustC/C++Ci/Cd SecurityGitLabTpmSecure Boot
Snowflake

Principal Software Engineer II - Product Security

SnowflakeMenlo Park, CA +1

Lead Product Security as senior technical authority, defining long-term security architecture and strategy for Snowflake's platform. Requires 15+ years experience in software engineering, security domains like AI/ML, cryptography, and languages including Java, Go, Python.

280k – 403k
Hybrid15+ YOESecurity Engineering
Databricks

Principal Engineer, Authentication

DatabricksMountain View, CA +1

Principal Engineer leads Authentication strategy at Databricks, crafting secure, scalable systems with 15+ years in distributed systems and data security expertise. Requires MS/PhD, leadership, and experience in identity management and access control.

280k – 385k
Remote15+ YOESecurity Engineering
Databricks

Principal Engineer - Privacy

DatabricksMountain View, CA

Leads privacy and security engineering to secure Databricks' data platform, identifies infrastructure gaps, and builds scalable systems. Requires 10+ years in data security, 15+ years in distributed systems, and MS/PhD.

278k – 339k
On-site10+ YOESecurity Engineering
OpenAI

Principal Security Engineer, Infrastructure Security

OpenAISan Francisco, CA +3

Leads architecture and implementation of planet-scale security services like authN/Z, proxies, and key management for OpenAI's GPU clusters, multi-cloud infra, and AI models. Requires expertise in secure distributed systems, cloud platforms, and cross-team leadership.

278k – 490k
RemoteSecurity Engineering
OpenAI

Principal Security Engineer, Infrastructure Security

OpenAISan Francisco, CA +3

Principal Security Engineer leads security for OpenAI's infrastructure including GPU clusters, multi-cloud, datacenters, and Kubernetes. Drives strategy, builds controls against advanced threats, and mentors teams with deep cloud and on-prem expertise.

278k – 490k
RemoteSecurity Engineering