first Principal Security Engineer

• Secure the Hybrid Infrastructure (AWS & Colo): You will be the single owner for security across our cloud environments and our physical colocation data centers. This includes configuring firewalls, managing physical network security, and hardening our Linux GPU clusters.
• Corporate & Endpoint Security: You will own the security of our internal tools and devices. You will manage our fleet (primarily macOS) using Jamf and oversee identity management via Active Directory.
• You ensure our creative workflows are secure without being obstructive.
• Hands-On Penetration Testing: We don't just rely on external audits. You will regularly conduct hands-on penetration tests against our internal networks, office infrastructure, and AI applications to find vulnerabilities before anyone else does.
• Secure the AI Supply Chain: Our models are our most valuable IP. You will design systems to protect our model weights during training, storage, and delivery, ensuring they are tamper-proof and secure from theft or reverse engineering.

• You are a hands-on generalist. You are just as comfortable configuring an IAM policy in AWS as you are setting up a switch in a colocation rack or writing a script for Jamf.
• You have a craftsmanship mentality. You take personal pride in building systems that are robust, elegant, and secure by default. You don't just patch holes; you eliminate entire classes of vulnerabilities.
• You are an infrastructure native. You are fluent in Linux internals, networking, and container orchestration. You understand the unique security challenges of cloud, distributed, and HPC environments.
• You value truth over comfort. You are willing to have hard conversations about risk and prioritize fixing root causes over applying band-aids.
• You think like an attacker. You don't wait for a report to tell you something is wrong. You actively probe our defenses (office, colo, and cloud) to prove they work., * 7+ years of experience in security engineering, with a mix of infrastructure, corporate IT, and offensive security.
• Deep hands-on experience with cloud security and compliance (AWS, IAM, VPC, SOC II, Vanta).
• Proven experience with Endpoint Management & Identity: Expert-level knowledge of Jamf for macOS management and Active Directory (or modern equivalents) for identity governance.
• Physical & Network Security: Experience securing physical office networks and colocation facilities (firewalls, VPNs, switching).
• Offensive Security: Demonstrated ability to perform manual penetration testing (network and web app).Proficiency in scripting (Python/Bash) to automate security tasks.
• Bonus: Experience securing on-device software or desktop applications (Windows/macOS)., Do you meet most but not 100% of the above? We'd still like to hear from you-we are passionate about developing a diverse team and culture, so please apply if you're interested!

This is a unique role for someone interested in making a deep impact at a high-growth tech software company. We offer strong base salary, plus significant ownership that scales with the company's growth. We also offer 100% covered medical/dental/vision for employees, 15 days annual PTO, 5 personal days plus holidays, and 401k matching.

We use AI to do things that were previously impossible. Topaz Labs builds professional-grade software that uses deep learning to enhance image and video quality. Over 1 million photographers and designers trust us with their work, including teams at Apple, Netflix, NASA, and Disney. We've processed over 1 billion images, achieved massive revenue growth, and we're only getting started.We are a small, profitable, and product-led team that values craftsmanship and impact over activity. We don't just ship features; we solve hard problems to help creatives do their best work.