Security and Infrastructure Architect

We're hiring a Senior Microsoft security expert to design, build, and run our security and identity

infrastructure end to end. This is a hands-on architect role for someone who has done exactly

this for other companies and can bring proven patterns rather than learn on ours. You'll own

everything from Entra and Intune to the office firewall, integrate it all into Vanta for SOC 2, and

work shoulder-to-shoulder with our engineers to bake security into the product. We also want

our security systems designed to take advantage of AI: while solid security fundamentals come

first, we value someone who can creatively apply AI to automate tasks and improve our ability to

detect and respond to threats and vulnerabilities.

What you'll do

• Architect Microsoft Entra ID: Conditional Access, MFA, PIM with just-in-time elevation,

break-glass accounts, and an admin model with no standing Global Admins on day-to-day

accounts.

• Own Microsoft Intune: secure all laptops and mobile devices - compliance,

configuration, BitLocker, app protection - and build unified onboarding/offboarding.

• Secure Microsoft Azure: RBAC, Defender for Cloud, Key Vault, Azure Policy, and

dev/staging/prod separation.

• Design the office network: firewall hardening, VLAN segmentation, secure remote

access with MFA, IDS/IPS, and centralized logging.

• Secure Google Workspace with Entra: federate identity and enforce consistent MFA

and posture across both ecosystems.

• Run security operations: operate EDR/MDR and identity-threat tooling (Huntress),

manage the SpearTip IR retainer, run incidents and tabletops.

• Drive vulnerability management: track and remediate findings from Defender for Cloud

and Aikido with the engineering team.

• Apply AI to security: creatively use AI to automate routine security tasks and sharpen

threat and vulnerability detection and response across the stack.

• Partner with engineering: secure SDLC, deployment-approval gates, and secrets

management so security is designed in.

• Secure our SaaS apps: Zoho One, Linear, Claude, GitHub and more - SSO, least

privilege, MFA, clean offboarding.

• Own SOC 2 / Vanta: integrate access and audit logs from every system into Vanta, keep

connectors green, and partner with our external SOC 2 advisor through the audit.

Do you have experience in Remote access software?, * A proven history of designing, implementing, and operating Microsoft-centric security

stacks for other companies.

• Deep Entra ID expertise - Conditional Access, PIM/JIT, break-glass, admin tiering,

eliminating standing Global Admin rights.

• Expert-level Intune for endpoint and mobile management.
• Strong Azure security: RBAC, Defender for Cloud, Key Vault, Azure Policy, network

security.

• Hands-on EDR/MDR and incident response - Huntress, SpearTip, SentinelOne,

CrowdStrike, or Defender.

• Vulnerability management with Defender for Cloud and a scanner like Aikido or Snyk.
• Google Workspace administration and federating it with Entra.
• Network/firewall hardening and segmentation.
• SOC 2 evidence experience; Vanta (or Drata/Secureframe) hands-on strongly preferred.
• Solid scripting (PowerShell/Graph, Python, or Bash) and excellent documentation.

Programming skills - including the ability to use AI to generate code - are preferred.

Nice to have

• Experience as the architect or first security hire who built a program from scratch.
• Multi-IdP (Entra + Google Workspace) production experience.
• Certifications: AZ-500, SC-200, SC-300, MS-102, Security+, CISSP, or GIAC.
• Cloudflare Zero Trust device-posture deployment.

Pulled from the full job description

• Health insurance
• 401(k) matching
• Paid time off
• Vision insurance
• Dental insurance, * A foundational, high-autonomy role with direct CEO visibility and real budget authority for

the security stack.

• A greenfield mandate design it the right way, with proven patterns, instead of inheriting

tech debt.

• A modern, well-funded toolset; you won't be duct-taping a legacy stack.
• Competitive base salary commensurate with experience, plus full medical/dental/vision,

generous 401(k) match, PTO, and an annual budget for certifications and training.

• Possible hybrid work 3 days/week on site in the Metro NY area., * 401(k) matching
• Dental insurance
• Health insurance
• Paid time off

We are a B2B hardware/software company building identity-verification and document-processing technology for regulated industries. We're a tight, ~20-person, engineering-heavy team pursuing SOC 2 Type II certification this year. We run on Microsoft Azure, use Microsoft Entra ID for identity management and Intune for device management, and use Google Workspace for productivity - with plans to link Google Workspace to Entra in the very near future. We back it all with a modern security stack (Huntress, SpearTip, Vanta, Aikido, Cloudflare).