Architect, Perimeter and Network Security, Enterprise Technology Services

Apple•Sunnyvale, CA

11h

About The Position

The Emerging Technologies team within IS&T specializes in building forward-looking, extremely scalable systems and solutions in two areas: Information Security and general-purpose, reusable platforms in the space of Integration and Orchestration. The team has a passion for solving challenging problems, exploring new domains, and engineering transformational solutions. We operate with a startup mindset — lean teams, high ownership, and technical leaders who flex across domains to build and scale new capabilities. The Emerging Technologies team is seeking an industry-recognized Architect to serve as the domain expert for Apple's perimeter and network security platform. You will be the technical authority across the full traffic path — edge proxies, origin/application load balancers, service mesh, and API & AI security gateways — architecting the defenses that protect Apple's services at scale. We are looking for someone who brings deep, proven expertise in perimeter security, threat mitigation, and proxy technologies — a technical leader whose experience and reputation precede them. In this role, you will own the architecture and technical direction of the systems that deliver Apple's security capabilities — WAF protection against OWASP threats, DDoS mitigation, Bot Prevention, TLS termination/origination, real-time threat intelligence, and security policy enforcement across protocols (TCP, UDP, HTTP/HTTPS). These capabilities are powered by L4/L7 proxy runtimes and a Java-based orchestration platform that manages configuration, policy distribution, and lifecycle management at fleet scale. You will define the long-term security architecture vision, drive technically complex initiatives end-to-end, and shape how these systems evolve across on-premises data centers and public cloud environments (GCP, AWS), ensuring Apple's defenses remain resilient, adaptive, and secure as threats and scale grow. This is a deeply technical, hands-on role for a recognized industry expert. You are expected to write code, prototype solutions, lead design efforts, and raise the technical bar for the entire team — not through management authority, but through expertise, influence, and the quality of your work. This role is also deeply cross-functional — you will partner with Apple's security and cloud infrastructure teams to drive a unified security vision, and work directly with application teams across the company to understand their traffic patterns and solve their integrated security needs.

Requirements

Bachelor's degree in Computer Science, Computer Engineering, or equivalent.
15+ years of hands-on software engineering experience with significant time spent in security architecture or senior technical leadership roles.
Expert-level understanding of perimeter and network security: WAF design and rule authoring, DDoS mitigation strategies, bot detection techniques, TLS/mTLS, TCP/IP, HTTP/HTTPS, QUIC, and DNS security.
Deep experience with proxy technologies (NGINX, Envoy, HAProxy) across edge, origin, service mesh, and API & AI security gateway tiers — including protocol-level internals, security module/filter architectures, and load balancing strategies.
Solid understanding of IP networking fundamentals including BGP and NAT.
Experience designing and building orchestration/control plane systems for security policy distribution and configuration management across distributed infrastructure at scale.
Proven ability to architect systems that span on-premises and public cloud (GCP, AWS) with high availability, fault tolerance, and security as first-class concerns.
Strong proficiency in Java/J2EE for building backend platforms.
Ability to write production-quality code and lead by example.
Demonstrated track record of driving security architecture strategy and making high-impact design decisions across multiple teams or products.
Experience working cross-functionally with security, cloud infrastructure, and application teams to deliver integrated traffic and security solutions.
Excellent written and verbal communication skills — ability to produce clear architecture documents and present complex security concepts to diverse audiences, from engineers to executives.

Nice To Haves

Experience with proxy engine internals — C, C++, Lua, or WASM-based customization of NGINX, Envoy, or similar engines for implementing security controls in the runtime data path.
Deep knowledge of authentication/authorization frameworks (OAuth, mTLS, certificate management) and secure software development lifecycle practices.
Experience with service mesh architectures (Istio, Envoy-based), API & AI security gateway patterns, containerization (Kubernetes, Docker), and infrastructure-as-code (Terraform, Ansible).
Expertise in distributed systems design patterns — consensus protocols, eventual consistency, data replication, and partition tolerance trade-offs.
Experience designing real-time data pipelines and event-driven architectures for threat intelligence or security telemetry at scale.
Knowledge of observability at the platform level — designing systems for meaningful security logging, metrics, distributed tracing, and alerting.
Familiarity with OWASP threat models, CVE analysis, threat landscape trends, and security incident response from an engineering perspective.
Comfortable working across Java, Python, Go, and scripting languages as the problem demands.
Recognized industry expertise in perimeter/network security — demonstrated through contributions to open-source security projects, conference talks, or a track record at companies operating security infrastructure at internet scale.
Named inventor or co-inventor on granted patents or patent applications in networking, security, or distributed systems.
Contributor or author of IETF RFCs, Internet-Drafts, or equivalent standards documentation, influencing industry protocols and best practices.
Published technical papers, whitepapers, or research articles in reputable conferences, journals, or industry forums.
M.S. or Ph.D. in Computer Science, Electrical Engineering, or equivalent experience.

Responsibilities

Serve as the domain expert for Apple's perimeter and network security platform.
Act as the technical authority across the full traffic path: edge proxies, origin/application load balancers, service mesh, and API & AI security gateways.
Architect defenses that protect Apple's services at scale.
Own the architecture and technical direction of systems delivering security capabilities: WAF protection, DDoS mitigation, Bot Prevention, TLS termination/origination, real-time threat intelligence, and security policy enforcement.
Define the long-term security architecture vision.
Drive technically complex initiatives end-to-end.
Shape the evolution of security systems across on-premises data centers and public cloud environments (GCP, AWS).
Write code, prototype solutions, and lead design efforts.
Partner with Apple's security and cloud infrastructure teams to drive a unified security vision.
Work directly with application teams to understand traffic patterns and solve integrated security needs.