Senior Staff Cybersecurity Engineer, Platform Security

What you'll do

• Build the secure defaults: Infrastructure-as-Code modules, CI/CD pipeline templates, internal libraries, and golden-path scaffolding that make the secure choice the easy choice.
• Engineer guardrails as code — policy-as-code (OPA/Conftest), admission controllers, cloud guardrails (SCPs / org policy), and pre-commit and CI checks — so the insecure path is blocked or flagged automatically.
• Own the platform security tooling that other teams consume, so they don't have to build their own; replace recurring manual work with durable, self-service mechanisms.
• Embed security into the software and infrastructure supply chain: pipeline security, build/artifact integrity, dependency and container scanning, and secrets management.
• Engineer workload and service identity controls (least privilege, short-lived credentials, federated trust) so zero-standing-privilege is real and observable.
• Write and maintain production-quality code and infrastructure that backs these controls.
• Partner with platform, infrastructure, and product engineering teams early — review high-blast-radius designs against the internal Security Engineering standard while the design can still change, and turn recurring findings into a missing paved road, not just another fix.
• Set technical direction and standards for secure-by-default; document them so they can be applied without us, and mentor and raise the bar for other engineers.

Required qualifications

• Extensive experience in security engineering, platform/infrastructure engineering, DevSecOps, or a closely related field, with a track record of owning complex systems end-to-end.
• Strong software engineering ability — you write, review, and ship production-quality code (any modern language) and treat infrastructure as software.
• Hands-on experience building secure-by-default mechanisms: Infrastructure-as-Code, CI/CD pipeline security, and policy/guardrails as code.
• Deep working knowledge of at least one major cloud provider and its security and identity model.
• Demonstrated ability to design durable, automated solutions that reduce real risk without becoming a bottleneck — and to make explicit tradeoffs between security and the business.
• Strong communication: you can explain a security concept to a product engineer in their language and to a leader in business terms, and you write recommendations people can act on.

Preferred qualifications

• Strong DevSecOps background with hands-on Kubernetes (admission control, OPA/Gatekeeper, workload identity) and Terraform (reusable secure modules, policy-as-code).
• Production coding experience in Go, Python, and/or Rust; comfortable with scripting/automation in Bash and PowerShell.
• Depth in Azure security and identity (Entra ID, Azure Policy, Management Group guardrails).
• Experience securing AI/ML systems, pipelines, or workloads.
• Offensive security / red team experience, with the ability to think like an attacker and translate those findings into stronger defaults and guardrails.
• Experience with supply-chain security (SLSA, sigstore/cosign, SBOMs), container/image hardening, and secrets management.
• Experience operating security tooling as an internal product consumed self-service by other engineering teams.
• Bachelor's degree or equivalent professional certification and experience.