Senior Infrastructure Security Engineer

Role Overview

• This is a senior, hands-on role with intentionally broad scope.
• Cloud infrastructure, security operations, and regulatory compliance are consolidated into a single function rather than distributed across a large team.
• Design and maintain secure AWS cloud infrastructure using Terraform and Terragrunt, with a focus on IAM least-privilege, account isolation, and security guardrails across multiple AWS environments.
• Manage AWS network security: VPC segmentation and design, Transit Gateway architecture, PrivateLink for service isolation, Network Firewall, and Route 53 Resolver for DNS security.
• Manage and maintain Cloudflare infrastructure including DNS, WAF, and edge compute.
• Architect and operate Cloudflare Zero Trust — including Access policies, Tunnel configuration for private network routing, Gateway egress filtering and DNS security policies, and WARP client deployment.
• Manage and tune AWS-native security tooling: GuardDuty, Security Hub, Config, Inspector, CloudTrail, and WAF.
• Integrate security controls into CI/CD pipelines (GitHub Actions) — including SAST, DAST, container image scanning, dependency vulnerability checks, and secrets detection.
• Enhance container and workload security through image signing, admission controllers (Kyverno), runtime policies, and base image hygiene.
• Manage dependency and patch lifecycle across Docker images, Helm charts, Terraform modules, and application packages.
• Own and operate security monitoring and incident response: maintain SIEM/log aggregation pipelines, tune alerting for anomalous behavior and policy violations, lead root cause analysis, and document post-mortems.
• Conduct and coordinate vulnerability assessments; track findings through to remediation.
• Automate compliance checks and drift detection using infrastructure scanning and policy-as-code tooling.
• Participate in on-call rotation to respond to security and infrastructure incidents.
• Support SEC and FINRA compliance obligations by implementing and documenting technical controls, and partner with legal and compliance teams during audits and regulatory reviews.
• Document infrastructure patterns, access controls, and security architecture for audit readiness.

Requirements

• 7+ years of experience in information technology or cloud infrastructure
• 5+ years of experience in infrastructure, security engineering, or DevOps — with meaningful hands-on overlap across all three
• Strong AWS expertise across security-relevant services: IAM, VPC, GuardDuty, Security Hub, Config, CloudTrail, Secrets Manager, KMS, Network Firewall, and PrivateLink
• Production experience with Cloudflare Zero Trust — Access, Tunnel, Gateway, and WARP; familiarity with Cloudflare Workers or edge compute is a plus
• Solid AWS networking knowledge: VPC design and segmentation, Transit Gateway, PrivateLink, Route 53 Resolver, and Network Firewall in a multi-account environment
• Strong Infrastructure-as-Code skills using Terraform and Terragrunt
• Hands-on experience securing CI/CD pipelines: SAST, container scanning, secrets detection, and policy gates in GitHub Actions or similar
• Experience operating a security observability stack; Datadog is our current platform and familiarity with it is a plus
• Experience operating in a regulated financial services environment and the compliance obligations that come with it
• Experience with vulnerability management lifecycle: scanning, prioritization, tracking, and remediation
• Proficiency in at least one scripting or programming language: Python, Go, Bash, or TypeScript
• Strong written communication skills — able to produce documentation that satisfies both engineering and audit audiences.

Tech Stack

• AWS
• Cloud
• DNS
• Docker
• Python
• Terraform
• TypeScript
• Go

Benefits

• Competitive salary based on experience
• Excellent benefits including: Health, Vision & Dental Insurance
• Fully remote position with equipment provided