Principal Infrastructure Security Engineer

What You’ll Be Working On

Platform Security Services

• Lead the architectural transition to a zero-trust network by driving the adoption of Workload Identity (SPIRE/SPIFFE) and enforcing mutual TLS (mTLS) with encryption, authorization policy enforcement across all service-to-service communications.

Eradicating Static Credentials

• Architect and deploy Just-in-Time (JIT) access models, ephemeral credentials (PAM), and granular machine identities to systematically eliminate static credentials and API keys across the infrastructure.

Full-Stack Supply Chain Security

• Architect and enforce security controls across the entire supply chain spectrum: from firmware and bare-metal (hardening BMC administration and establishing verifiable roots-of-trust) up through the hypervisor, VM layer, cloud control plane, and CI/CD build environments (GitLab).

Enterprise Data Security & Secrets Management

• Drive the technical delivery of highly requested enterprise trust features, including Customer-Managed Encryption Keys (CMEK) and an internal Secrets-as-a-Service platform (Vault-aaS).

Runtime Integrity & Advanced Threat Defense

• Lead the deployment of host-level controls using eBPF and Falco-class tooling for kernel lockdown, audit expansion, and immutable logging to detect and prevent threats in real-time.

Network & Hardware Isolation

• Guide the security architecture for SDN 2.0 (OVN sharding per tenant), secure VPC peering, and private connectivity (IPsec VPN, VPC Interface Endpoints) to ensure rigorous tenant isolation without an AI workload performance tax.

Executive Advisory & Prioritization

• Act as a trusted advisor to leadership, synthesizing ambiguous systemic signals—from endpoint and SaaS risks to deep infrastructure vulnerabilities—into clear engineering action plans and RFCs.

What You’ll Bring to the Team

Requirements

• 12+ years of experience in infrastructure security, security architecture, or production engineering, with significant tenure at a major cloud provider (e.g., AWS, GCP, Azure) or specialized high-performance computing environment
• Deep, hands-on architectural expertise with modern identity frameworks (SPIFFE/SPIRE, OIDC, OAuth 2.0) and a proven track record of successfully rolling out mTLS and ephemeral credentialing at scale
• Strong experience securing public/private build environments, enforcing CI/CD pipeline integrity, and mitigating risks across software, firmware, and hardware supply chains
• Authoritative knowledge of OS-level security, Linux kernel internals, hypervisor isolation boundaries, and runtime integrity tooling (eBPF, Falco)
• Proven experience securing bare-metal infrastructure, including Baseboard Management Controller (BMC) hardening, TPMs, Secure Boot, and out-of-band management networks
• Strong ability to read, review, and write code (Go, Python, Rust, or C/C++) to automate security guardrails and prototype secure systems
• The rare ability to explain the nuances of hypervisor supply chain risks to an engineer, and the business value of CMEK to executive leadership and enterprise customers
• Bachelor’s or Master’s degree in Computer Science, Computer Engineering, Cybersecurity, or a related field (or equivalent professional experience)

Nice-to-Haves

• Direct experience securing massive-scale GPU clusters, LLM training pipelines, or highly sensitive AI datasets
• Maintainer status or major contributions to CNCF security tools (e.g., SPIFFE/SPIRE, Falco, OPA) or the Linux Kernel
• Experience partnering with IT security to mitigate endpoint, SaaS (Okta, Google Workspace), and insider risks that bridge the corporate and production boundaries

Benefits

• Competitive compensation and equity packages
• Restricted Stock Units
• Paid time off, paid holidays & leave of absence programs
• Comprehensive health, dental & vision insurance
• Employer contributions to HSA account
• Paid parental leave
• Paid life insurance, short-term and long-term disability
• Professional development & tuition reimbursement
• Mental health & wellness support
• Commuter benefits (parking & transit)
• Cell phone stipend
• 401(k) Retirement plan with company match up to 4% of salary
• Volunteer time off
• Global travel insurance & emergency assistance
• Daily meals allowance