Senior Staff Cybersecurity Engineer, Platform Security (R5219)

Founded in 2015, Shield AI is a venture-backed defense-tech company with the mission of protecting service members and civilians with intelligent systems. Its products include Hivemind autonomy software and V-BAT and X-BAT aircraft. With offices and facilities across the U.S., Europe, the Middle East, and Asia-Pacific, Shield AI’s technology actively supports operations worldwide. For more information, visit www.shield.ai. Follow Shield AI on LinkedIn, X, Instagram, and YouTube. 

You'll be the senior technical owner for paved roads and secure-by-default engineering on the Security Engineering team. Your job is not to review and say no — it is to engineer the secure defaults, golden paths, and guardrails-as-code that make the secure way to build the easy way to build, across cloud, infrastructure, and CI/CD.

You will design, build, and operate the IaC modules, pipeline templates, internal libraries, and policy-as-code controls that the rest of the company consumes. You will engineer guardrails that block or flag the insecure path automatically, and replace recurring manual security work with durable mechanisms that don't depend on anyone remembering to do the right thing. As one of the most senior engineers on the team, you'll help shape and drive the technical direction for how secure-by-default works at Shield AI — partnering closely with a hands-on engineering lead — and raise the bar for everyone building on top of it.

This is a hands-on, build-heavy role. We are credible because we are technical — you'll read the code, the configs, the telemetry, and the architecture, and ship solutions durable enough to run without you.

Build the secure defaults: Infrastructure-as-Code modules, CI/CD pipeline templates, internal libraries, and golden-path scaffolding that make the secure choice the easy choice.

Engineer guardrails as code — policy-as-code (OPA/Conftest), admission controllers, cloud guardrails (SCPs / org policy), and pre-commit and CI checks — so the insecure path is blocked or flagged automatically.

Own the platform security tooling that other teams consume, so they don't have to build their own; replace recurring manual work with durable, self-service mechanisms.

Embed security into the software and infrastructure supply chain: pipeline security, build/artifact integrity, dependency and container scanning, and secrets management.

Engineer workload and service identity controls (least privilege, short-lived credentials, federated trust) so zero-standing-privilege is real and observable.

Write and maintain production-quality code and infrastructure that backs these controls.

Partner with platform, infrastructure, and product engineering teams early — review high-blast-radius designs against the internal Security Engineering standard while the design can still change, and turn recurring findings into a missing paved road, not just another fix.

Set technical direction and standards for secure-by-default; document them so they can be applied without us, and mentor and raise the bar for other engineers.

Extensive experience in security engineering, platform/infrastructure engineering, DevSecOps, or a closely related field, with a track record of owning complex systems end-to-end.

Strong software engineering ability — you write, review, and ship production-quality code (any modern language) and treat infrastructure as software.

Hands-on experience building secure-by-default mechanisms: Infrastructure-as-Code, CI/CD pipeline security, and policy/guardrails as code.

Deep working knowledge of at least one major cloud provider and its security and identity model.

Demonstrated ability to design durable, automated solutions that reduce real risk without becoming a bottleneck — and to make explicit tradeoffs between security and the business.

Strong communication: you can explain a security concept to a product engineer in their language and to a leader in business terms, and you write recommendations people can act on.

Strong DevSecOps background with hands-on Kubernetes (admission control, OPA/Gatekeeper, workload identity) and Terraform (reusable secure modules, policy-as-code).

Production coding experience in Go, Python, and/or Rust; comfortable with scripting/automation in Bash and PowerShell.

Depth in Azure security and identity (Entra ID, Azure Policy, Management Group guardrails).

Experience securing AI/ML systems, pipelines, or workloads.

Offensive security / red team experience, with the ability to think like an attacker and translate those findings into stronger defaults and guardrails.

Experience with supply-chain security (SLSA, sigstore/cosign, SBOMs), container/image hardening, and secrets management.

Experience operating security tooling as an internal product consumed self-service by other engineering teams.

Bachelor's degree or equivalent professional certification and experience.

#LI-HM1

#LE

Full-time regular employee offer package:

Pay within range listed + Bonus + Benefits + Equity

 

Temporary employee offer package:

Pay within range listed above + temporary benefits package (applicable after 60 days of employment)

 

Salary compensation is influenced by a wide array of factors including but not limited to skill set, level of experience, licenses and certifications, and specific work location. All offers are contingent on a cleared background and possible reference check. Military fellows and part-time employees are not eligible for benefits. Please speak to your talent acquisition representative for more information.

 

###