Senior Infrastructure Security Engineer

### Who you are
- 7+ years of experience in information technology or cloud infrastructure
- 5+ years of experience in infrastructure, security engineering, or DevOps — with meaningful hands-on overlap across all three
- Strong AWS expertise across security-relevant services: IAM, VPC, GuardDuty, Security Hub, Config, CloudTrail, Secrets Manager, KMS, Network Firewall, and PrivateLink
- Production experience with Cloudflare Zero Trust — Access, Tunnel, Gateway, and WARP; familiarity with Cloudflare Workers or edge compute is a plus
- Solid AWS networking knowledge: VPC design and segmentation, Transit Gateway, PrivateLink, Route 53 Resolver, and Network Firewall in a multi-account environment
- Strong Infrastructure-as-Code skills using Terraform and Terragrunt
- Hands-on experience securing CI/CD pipelines: SAST, container scanning, secrets detection, and policy gates in GitHub Actions or similar
- Experience operating a security observability stack; Datadog is our current platform and familiarity with it is a plus
- Experience operating in a regulated financial services environment and the compliance obligations that come with it
- Experience with vulnerability management lifecycle: scanning, prioritization, tracking, and remediation
- Proficiency in at least one scripting or programming language: Python, Go, Bash, or TypeScript
- Strong written communication skills — able to produce documentation that satisfies both engineering and audit audiences
- Kubernetes/EKS experience at any depth — even working familiarity is valued
- Experience with blockchain infrastructure or digital asset platforms
- Any of the following certifications are valued but not required: AWS Certified Security – Specialty, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified Kubernetes Security Specialist (CKS)
- Experience with AI-assisted tooling in DevOps or security workflows
- Background contributing to or managing vendor security reviews and third-party risk assessments
- Experience working in a highly regulated financial services environment — broker-dealer, RIA, ATS, or custodian — with direct exposure to SEC or FINRA examinations
- Familiarity with Regulation S-P breach notification workflows, FINRA Rule 4530 incident reporting, or AML/BSA technical control implementation

### What the job involves
- This is a senior, hands-on role with intentionally broad scope
- Cloud infrastructure, security operations, and regulatory compliance are consolidated into a single function rather than distributed across a large team — which means real ownership, direct access to leadership, and the ability to shape how security is built and operated at Prometheum
- Prometheum is actively maturing its security function, and this role will be instrumental in shaping where it goes — you'll be building on an existing
foundation and defining what comes next.
- The right candidate has worked in a lean, regulated environment before and is energized by breadth rather than frustrated by it.
- Design and maintain secure AWS cloud infrastructure using Terraform and Terragrunt, with a focus on IAM least-privilege, account isolation, and security guardrails across multiple AWS environments
- Manage AWS network security: VPC segmentation and design, Transit Gateway architecture, PrivateLink for service isolation, Network Firewall, and Route 53 Resolver for DNS security
- Manage and maintain Cloudflare infrastructure including DNS, WAF, and edge compute
- Architect and operate Cloudflare Zero Trust — including Access policies, Tunnel configuration for private network routing, Gateway egress filtering and DNS security policies, and WARP client deployment
- Manage and tune AWS-native security tooling: GuardDuty, Security Hub, Config, Inspector, CloudTrail, and WAF
- Integrate security controls into CI/CD pipelines (GitHub Actions) — including SAST, DAST, container image scanning, dependency vulnerability checks, and secrets detection
- Enhance container and workload security through image signing, admission controllers (Kyverno), runtime policies, and base image hygiene
- Manage dependency and patch lifecycle across Docker images, Helm charts, Terraform modules, and application packages
- Own and operate security monitoring and incident response: maintain SIEM/log aggregation pipelines, tune alerting for anomalous behavior and policy violations, lead root cause analysis, and document post-mortems
- Conduct and coordinate vulnerability assessments; track findings through to remediation
- Automate compliance checks and drift detection using infrastructure scanning and policy-as-code tooling
- Participate in on-call rotation to respond to security and infrastructure incidents
- Support SEC and FINRA compliance obligations by implementing and documenting technical controls, and partner with legal and compliance teams during audits and regulatory reviews
- Document infrastructure patterns, access controls, and security architecture for audit readiness

### Benefits
- Health, dental, vision, disability, and life insurance
- 401k plan
- Competitive vacation time
- Time off for observed federal holidays
- Paid sick days
- Stock options