Senior Engineer, Cloud Security

PayCargoMiami, FL

About The Position

The Senior Engineer, Cloud Security is responsible for strengthening and operating PayCargo's security controls across a modernizing platform that spans legacy systems, a multi-account AWS environment, Microsoft Entra ID, GitHub/ZenHub workflows, GitHub Actions pipelines, and a growing set of secure AI platform requirements. This is a senior, hands-on engineering role – not an entry-level or SOC-analyst position – focused on implementing and operating security controls, not only monitoring them. This is a hands-on individual contributor role on PayCargo's DevSecOps team. The Senior Engineer - Cloud Security continuously monitors the perimeter, hardens cloud and endpoint controls, runs access reviews, supports audits, and leads incident response, turning security obligations into repeatable operational controls rather than one-time checklist items. The role requires strong judgment, strong follow-through, and the ability to reduce reactive fire drills while raising overall control maturity. The Senior Engineer, Cloud Security partners closely with DevOps, Engineering, Architecture, Product, Compliance, Support, and executive stakeholders to keep PayCargo's global payments platform secure, available, and audit-ready. This position has no direct reports. The role leads indirectly by setting and enforcing security standards, guiding engineers and DevOps toward secure patterns, and reducing single points of failure across the security function.

Requirements

  • 5+ years of hands-on security engineering, cloud security, or security operations experience preferred
  • Strong working knowledge of AWS security and identity services, plus an enterprise identity provider such as Microsoft Entra ID or Okta
  • Hands-on experience with endpoint and threat tooling such as CrowdStrike and Microsoft Defender
  • Practical experience with SOC and/or PCI DSS controls, audits, and evidence
  • Strong understanding of IAM, RBAC/ABAC, MFA, SSO, SAML2, OAuth2/OIDC, JWT, including common failure modes, and least-privilege design
  • Hands-on experience with PKI and certificates, including a certificate authority such as AWS Private CA, TLS and mTLS, and certificate issuance, rotation, and revocation
  • Experience with incident response, logging and alerting, and root cause analysis
  • Ability to convert security and compliance requirements into repeatable operational controls
  • Strong communication and documentation skills, and the ability to influence without direct authority
  • Bachelor's degree in Computer Science, Information Technology, Cybersecurity, Engineering, or a related field, or equivalent practical experience
  • Demonstrated experience operating production security controls in cloud environments
  • Experience supporting SOC, PCI, or comparable audits and frameworks

Nice To Haves

  • Security certifications such as CISSP, CISM, CCSP, or equivalent
  • Experience coordinating penetration testing and managing remediation
  • Familiarity with secure AI/LLM patterns, data tokenization, and egress control
  • Experience securing CI/CD pipelines (GitHub Actions), GitHub/ZenHub, and Terraform-based infrastructure-as-code
  • Experience with zero-trust network access such as Tailscale or Zscaler, and SSO brokers such as CommonFate Granted
  • Experience in payments, fintech, SaaS, or other regulated, high-volume environments
  • Familiarity with ISO 27001 and SaaS security posture management
  • Payments, fintech, SaaS, or logistics experience is a plus

Responsibilities

  • Monitor the perimeter, cloud, and endpoint environments for threats, misconfigurations, and anomalous activity across AWS and Microsoft Entra ID
  • Operate and tune security tooling, including CrowdStrike, Microsoft Defender, and CloudWatch and SNS logging and alerting
  • Triage security alerts, drive incident response, and lead root cause analysis with clear, durable follow-up
  • Maintain and improve on-call and escalation workflows (e.g., PagerDuty) so security events are handled consistently
  • Run periodic access reviews and enforce least privilege across AWS IAM and IAM Identity Center, Microsoft Entra ID, and SaaS platforms
  • Strengthen RBAC/ABAC, MFA, and SSO, SAML2, and OAuth2/OIDC patterns across internal and customer-facing systems
  • Reduce standing access and broad repository or local admin privileges in favor of bounded, auditable access
  • Operate the federated access model, including SAML-based assumed access to AWS (via CommonFate Granted) and GitHub OIDC for pipelines, so people and CI receive least-privilege, time-bound access without static credentials
  • Operate the PKI, including AWS Private CA and ACM, certificate issuance and rotation, CRLs, and mTLS trust stores on load balancers
  • Administer Entra ID groups and the Tailscale ACLs that gate network access
  • Govern dependency and supply-chain risk using Dependabot and approved-package practices, and keep secrets in AWS Secrets Manager and SSM Parameter Store
  • Support SOC 1 Type 2, SOC 2, and PCI DSS obligations by owning the implementation of controls and the evidence behind them
  • Coordinate penetration testing, remediation tracking, and verification of fixes
  • Produce clean, repeatable audit evidence and reduce last-minute audit scrambles
  • Translate compliance requirements into operational controls engineers can follow without constant guidance
  • Help enforce containment for AI and model usage, including stateless model access, whitelisted egress, and approved destinations
  • Support tokenization and PII-protection patterns so sensitive data is not exposed to model providers
  • Review AI-assisted workflows and applications for security boundaries, logging, and blast-radius reduction
  • Partner with DevOps and Engineering to embed security into the Terraform and GitHub Actions pipelines, environments, and deployment paths
  • Work with Compliance on audits and frameworks (SOC, PCI, ISO 27001) and on auditor-facing reporting
  • Advise Product and Architecture on secure-by-design patterns and practical trade-offs
  • Implement and operate the security controls, boundaries, and egress rules defined in the platform architecture owned by the Director of Cloud & AI Platform Architecture
  • Provide clear status, escalate risks early, and document controls, runbooks, and decisions

Benefits

  • competitive salary and bonus plan
  • vacation, sick, personal time off policies
  • a generous 401K match
  • strong healthcare benefits
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service