Senior Cybersecurity Engineer

Job Summary

We’re looking for a Senior Cybersecurity Engineer to design, build, and operate preventative and detective security controls and automation across our AWS‑first and enterprise environments. Reporting to the CISO, this role implements guardrails, platforms, and integrations and partners with infrastructure, platform, and application teams to embed security by default in our AWS cloud and enterprise environments. The role will perform hands-on engineering in multiple security domains including network security, endpoint security, email security, data security, vulnerability management, container security, and identity and access management.

Position Responsibilities

• Control Engineering & Operation
  • Design, implement, and maintain controls in AWS (IAM, KMS, VPC, GuardDuty, Security Hub, Detective, CloudTrail/CloudWatch), network, endpoint, email, data security, vulnerability, and identity domains.
  • Define SLOs for control availability, latency, coverage, and drift; implement telemetry to continuously measure those SLOs.
• Security Automation & “Policy as Code”
  • Partner with infrastructure, platform, and application teams to build IaC modules (Terraform/CloudFormation) and platform automations (e.g., Python/Lambda, Step Functions) to enforce guardrails (account vending, baseline hardening, logging enablement, key policies, SCPs) using Git.
  • Implement break‑glass patterns and least‑privilege workflows that are auditable and reversible.
• Detection Enablement
  • Engineer data pathways (e.g., CloudTrail, VPC Flow, ECS audit, identity logs) into SIEM/MDR tooling; ensure completeness, timeliness, and schema quality.
  • Translate Detection and Response Lead feedback on false positives/gaps into logging or control adjustments.
• Vulnerability & Exposure Engineering
  • Own scanners/integrations, asset coverage, tagging standards, and develop risk‑based remediation pipelines (ticketing, auto‑remediation for low‑risk classes).
  • Partner with owners to remove friction (pre‑approved windows, canaries, rollbacks).
• Identity & Secrets Hardening
  • Engineer least‑privilege patterns, permission boundaries, conditional access, and automated key/secret lifecycle (rotation, discovery, usage attestations).
  • Provide ready‑to‑consume roles/policies to teams.
• Documentation & Reuse
  • Maintain runbooks, design docs, and reusable modules; ensure changes are versioned, peer‑reviewed, and test‑
• On‑Call (Engineering)
  • Participate in control‑health and platform on‑call (e.g., logging ingestion failures, drift, outages).
  • Escalate security events to the Detection & Response Lead/MDR.

Minimum Qualifications

• 7+ years in security engineering with production AWS (multi‑account/Organizations) and automation‑first delivery.
• Domain experience in at least three of the following:
  • Network security (segmentation, routing, firewall, proxy, WAF)
  • Endpoint security (EDR/EPP, hardening, health attestation)
  • Email security (phishing protection, authentication, inbound/outbound controls)
  • Data secur