Lead Security Engineer
Role details
Job location
Tech stack
Job description
We're looking for a lead-level Security Engineer and Architect to own system, network, and host security end-to-end for a rapidly growing on-prem, Kubernetes-based AI factory. This is a hands-on, high-impact role reporting directly to our CTO/CISO and working side-by-side with Technical Operations, Corp IT, Platform Engineering, and our scientific teams. It's not a compliance seat that exists to satisfy published controls - it's the chance to shape our security posture from the ground up, secure high-value client data, and build the team and tooling to do it.
Two things make this role distinctive. First, Alembic is "Default to Open" by design: security here must respect that maximum information sharing is basic to how we operate, while still protecting customer data and the IP - patents and trade secrets - our applied-science work generates. Balancing those is the core intellectual challenge of the job. Second, we're an AI-first company that uses many kinds of AI across everything we do; deciding which AIs operate in which containers is one of the more interesting problems you'll own.
What You'll Do
- Design and implement security controls across all environments - network segmentation and firewalling, IDS/IPS, and traffic analysis on our on-prem Kubernetes platform.
- Build and enforce host security: EDR, kernel telemetry, hardening, and baseline implementation across the fleet.
- Own identity and access - AuthN/AuthZ, RBAC, and service identity - grounded in OIDC, SAML, and mTLS.
- Stand up incident-detection pipelines (SIEM, metrics, endpoint telemetry) tuned to surface high-signal threats over noise, and lead incident response end to end: triage, containment, recovery, root-cause analysis, and forensics.
- Keep the focus on enablement over restriction - effective security, not compliance for its own sake - while balancing IP protection, customer-data protection, and broad internal information sharing.
- Partner with Legal and the CISO to obtain the compliance certifications we need and to answer customer questions about the security of our systems; hire and mentor as the security function grows.
Requirements
- 8+ years in security engineering, infrastructure, or related roles.
- Strong Linux system security and networking (SSH certificates, directory-based authentication) and strong Kubernetes security (RBAC, tenant isolation, admission control).
- Real experience securing on-prem environments, not only public cloud.
- A proven track record leading real-world incidents, with familiarity with attacker techniques (lateral movement, persistence, exfiltration) and hands-on depth in EDR, IDS/IPS, and SIEM.
- Strong command of OIDC, SAML, mTLS, and cryptography-based storage security.
- Comfort writing code, automation, and tooling in Python or similar, plus configuration management via IaC (Terraform, Ansible).
- The judgment to distinguish high-signal threats from noise, make pragmatic tradeoffs in a fast-moving company, and communicate effectively with technical stakeholders.
Nice to have: high-performance or distributed-compute experience (HPC, GPU clusters); identity-aware proxies or zero-trust architectures; offensive security (red teaming, exploit development); secure application development and secure-code training; responsible-disclosure/bug-bounty programs; AI controls, MCP security, agent security, and AI governance; and a background in corporate IT security.