Instacart is transforming the grocery industry by providing essential services that customers rely on. They are seeking a Senior Security Engineer to secure cloud infrastructure and AI systems, enabling engineering teams to roll out new product features in a secure manner.
Responsibilities:
- Identify business-critical risks across Instacart's cloud accounts, identity stack, AI/agent platforms, and product services
- Define remediation strategies that scale: prefer guardrails and platform changes over one-off fixes
- Build secure-by-default primitives — policy-as-code, paved-road infra modules, identity and access frameworks — that make the safe path the easy path for product teams
- Operate the SaaS and internal security platforms that back those guardrails (CSPM, IAM governance, vulnerability management, AMI/image supply chain, secrets, audit) and extend them with internal tooling when off-the-shelf falls short
- Lead investigations, root-cause incidents and findings, and drive variant analysis across the codebase to make sure a class of bug is gone — not just one instance
- Coach and mentor engineers across security and other functions
Requirements:
- 5+ years in security engineering, with depth in at least two of: cloud security (AWS/GCP), identity & access engineering, vulnerability management at scale, or secure infrastructure platform engineering
- 3+ years of experience performing code reviews and design reviews
- Proficiency in Python or TypeScript sufficient to build and maintain internal services (APIs, scanners, dashboards) — not just glue scripts
- Working knowledge of cloud IAM (roles, trust policies, federation, SCPs/org policies) and the attack paths it enables when misconfigured
- Hands-on Infrastructure-as-Code experience (Terraform, CloudFormation, or equivalent)
- Experience driving a remediation program end-to-end: discovery → ownership routing → fix → measurement → prevention
- Understanding of SaaS architectures, common risks, and threat models
- Experience with Variant Analysis, Root Cause Analysis, or Secure Frameworks
- Track record of security research, competitive hacking, or OSS contributions
- Track record building internal security platforms that other engineers actually adopt — IAM attack-path analysis, vulnerability management, supply-chain/AMI pipelines, secrets management, GRC automation, or similar
- Policy-as-code authoring at organization scope (OPA/Rego, Terraform Sentinel/equivalent) with disciplined test coverage and rollout/grandfathering strategies
- Cloud Security Posture Management (CSPM) at scale — Wiz/Prisma/equivalent, including remediation programs spanning IaC findings and live threat findings (C2, credential abuse), plus running scan infrastructure across CI fleets
- Identity governance experience with a modern IGA stack (ConductorOne, Sailpoint, Veza, or equivalent) including just-in-time access, auto-approval policies, and SoD constraints
- Experience securing AI/LLM platforms — model gateways, agent frameworks, MCP servers, prompt injection mitigations — or strong appetite to build that practice from a cloud-security foundation