SAP NS2 Sr. Security Engineer

About The Position

Requirements

• 5+ years of experience in security engineering, DevSecOps, or a closely related infrastructure engineering role.
• Hands-on operational experience with at least two of the following platforms: Tenable Nessus, CrowdStrike Falcon, Trend Micro Deep Security,etc.
• Demonstrated experience with vulnerability management and remediation such as scan operations, prioritization, patching workflows, and SLA enforcement.
• Strong scripting skills in Python and Bash, with the ability to write production-quality automation that other engineers can read, extend, and operate.
• Practical experience with Linux system administration and Windows server fundamentals, including patching, package management, and agent troubleshooting.
• Working knowledge of compliance frameworks: CMMC, NIST 800-53 Rev. 5, ISO 27001, and SOC 2, with the ability to translate control requirements into technical configuration.
• Experience operating within at least one major cloud (AWS preferred; Azure or GCP also acceptable), including patching and lifecycle management of cloud-hosted infrastructure.
• Comfort working in a Git-based workflow with code review, branching strategies, and pull-request driven change management.
• Must be a U.S. citizen; this position requires access to customer data.
• All internals must have manager’s approval to transfer.

Nice To Haves

• Production experience with Terraform, including modules, state management, Terragrunt, or equivalent patterns for managing security infrastructure across environments.
• Experience designing and operating GitLab CI/CD, GitHub Actions, or Jenkins pipelines, including pipeline-driven validation, signed artifact promotion, and integration with security platforms.
• Familiarity with Kubernetes (EKS, GKE, or AKS), including container security fundamentals, manifest management, and operating security tooling against containerized workloads.
• Experience with SSM documents, associations, and Run Command for orchestrating tasks across managed instance fleets.
• Experience with Docker, custom images, and image hardening pipelines.
• Experience operating in FedRAMP or other compliance-driven environments.
• Experience with FedRAMP boundary tooling, GovCloud, or equivalent regulated environments.
• Familiarity with additional security tooling such as WebInspect, Trellix, or Centrify.
• Background in SRE, DevOps, or platform engineering with a pivot into security.
• Bachelor’s degree in Computer Science, Cybersecurity, or a related technical field. Equivalent experience accepted.
• Relevant certifications: AWS Security Specialty, CrowdStrike Certified Falcon Administrator, Tenable Certified Operator, Terraform Associate, CKA/CKS, or similar.

Responsibilities

• Operate, tune, and integrate the organization’s security tooling stack, including but not limited to Tenable Nessus, CrowdStrike Falcon, Trend Micro Deep Security, and ThreatConnect, ensuring each platform is healthy, current, and delivering value.
• Validate that endpoint agents and sensors are deployed, communicating, and properly configured across applicable infrastructure. Build coverage reporting and identify gaps without taking on installation responsibility for hosts owned by other teams.
• Own the patching, upgrade, and lifecycle management of the security tools and platforms we operate. Maintain version currency, plan upgrade windows, and ensure scanners, managers, and consoles stay within supported release windows.
• Build custom integrations between security platforms and the broader engineering ecosystem to include ticketing, reporting, alert routing, CI/CD gating, and SOAR-style workflows.
• Drive vulnerability remediation across hosts and infrastructure that the team owns or operates. Prioritize using risk context (exploitability, exposure, asset sensitivity), implement fixes, and track findings through to closure.
• Operate and tune vulnerability scanners (Tenable Nessus and equivalent) so that scan coverage is accurate, credentialed scans succeed, and other teams have reliable vulnerability data for the hosts they own.
• Produce vulnerability reporting that surfaces trends, exception requests, and SLA performance. Partner with host-owning teams when findings live outside our managed scope.
• Where possible, shift remediation left, to include hardened base images, IaC scanning, golden AMIs, and image bake pipelines that prevent vulnerabilities from reaching production rather than chasing them after the fact.
• Design and maintain Terraform modules that provision, configure, and update security tooling infrastructure across cloud environments. Apply the same code-review, testing, and promotion discipline used for any other engineering deliverable.
• Automate agent and sensor deployment through bash scripting, AWS Systems Manager (SSM) runbooks, and CI/CD pipelines. Build artifacts and runbooks that host-owning teams can self-serve against the systems they own.
• Move agent installer artifacts, runbook content, and scanner configuration into version-controlled pipelines that run automated validation, signature verification, and post-deploy health checks before promoting changes.
• Write production-quality automation in Python and Bash. Build internal tools and utilities that make the team faster and the work more repeatable.
• Configure and operate security tooling to support compliance against CMMC, NIST 800-53 Rev. 5, ISO 27001, and SOC 2. Produce evidence on demand and ensure scanners, agents, and configurations align with the controls our auditors care about.
• Build automated evidence collection where the platforms support it, such as control mapping, posture reporting, and exception tracking so audit cycles do not become manual fire drills.
• Operate the technical controls that satisfy continuous monitoring requirements: vulnerability scan cadence, agent health reporting, configuration drift detection, and asset inventory accuracy.

Benefits

• Constant learning, skill growth, great benefits, and a team that wants you to grow and succeed.
• SAP North America Benefits