Principal Infrastructure Security Engineer

About The Position

Requirements

• 12+ years of experience in infrastructure security, security architecture, or production engineering, with significant tenure at a major cloud provider (e.g., AWS, GCP, Azure) or specialized high-performance computing environment.
• Deep, hands-on architectural expertise with modern identity frameworks (SPIFFE/SPIRE, OIDC, OAuth 2.0) and a proven track record of successfully rolling out mTLS and ephemeral credentialing at scale.
• Strong experience securing public/private build environments, enforcing CI/CD pipeline integrity, and mitigating risks across software, firmware, and hardware supply chains.
• Authoritative knowledge of OS-level security, Linux kernel internals, hypervisor isolation boundaries, and runtime integrity tooling (eBPF, Falco).
• Proven experience securing bare-metal infrastructure, including Baseboard Management Controller (BMC) hardening, TPMs, Secure Boot, and out-of-band management networks.
• Strong ability to read, review, and write code (Go, Python, Rust, or C/C++) to automate security guardrails and prototype secure systems.
• The rare ability to explain the nuances of hypervisor supply chain risks to an engineer, and the business value of CMEK to executive leadership and enterprise customers.
• A Bachelor’s or Master’s degree in Computer Science, Computer Engineering, Cybersecurity, or a related field (or equivalent professional experience).

Nice To Haves

• Direct experience securing massive-scale GPU clusters, LLM training pipelines, or highly sensitive AI datasets.
• Maintainer status or major contributions to CNCF security tools (e.g., SPIFFE/SPIRE, Falco, OPA) or the Linux Kernel.
• Experience partnering with IT security to mitigate endpoint, SaaS (Okta, Google Workspace), and insider risks that bridge the corporate and production boundaries.

Responsibilities

• Lead the architectural transition to a zero-trust network by driving the adoption of Workload Identity (SPIRE/SPIFFE) and enforcing mutual TLS (mTLS) with encryption, authorization policy enforcement across all service-to-service communications.
• Architect and deploy Just-in-Time (JIT) access models, ephemeral credentials (PAM), and granular machine identities to systematically eliminate static credentials and API keys across the infrastructure.
• Architect and enforce security controls across the entire supply chain spectrum: from firmware and bare-metal (hardening BMC administration and establishing verifiable roots-of-trust) up through the hypervisor, VM layer, cloud control plane, and CI/CD build environments (GitLab).
• Drive the technical delivery of highly requested enterprise trust features, including Customer-Managed Encryption Keys (CMEK) and an internal Secrets-as-a-Service platform (Vault-aaS).
• Lead the deployment of host-level controls using eBPF and Falco-class tooling for kernel lockdown, audit expansion, and immutable logging to detect and prevent threats in real-time.
• Guide the security architecture for SDN 2.0 (OVN sharding per tenant), secure VPC peering, and private connectivity (IPsec VPN, VPC Interface Endpoints) to ensure rigorous tenant isolation without an AI workload performance tax.
• Act as a trusted advisor to leadership, synthesizing ambiguous systemic signals—from endpoint and SaaS risks to deep infrastructure vulnerabilities—into clear engineering action plans and RFCs.

Benefits

• Competitive compensation and equity packages
• Restricted Stock Units
• Paid time off, paid holidays & leave of absence programs
• Comprehensive health, dental & vision insurance
• Employer contributions to HSA account
• Paid parental leave
• Paid life insurance, short-term and long-term disability
• Professional development & tuition reimbursement
• Mental health & wellness support
• Commuter benefits (parking & transit)
• Cell phone stipend
• 401(k) Retirement plan with company match up to 4% of salary
• Volunteer time off
• Global travel insurance & emergency assistance
• Daily meals allowance
• Additional perks & programs specific to location