Senior Engineer, Cloud Security

PayCargo, LLC
Miami, United States of America
14 days ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Senior

Job location

Miami, United States of America

Tech stack

Access Network
Artificial Intelligence
Amazon Web Services (AWS)
Software System Penetration Testing
Software as a Service
Cloud Computing
Cloud Computing Security
Computer Security
Software Design Patterns
DevOps
Document Management Systems
Github
Identity and Access Management
OAuth
OpenID
PCI Data Security Standards
Public Key Infrastructure
Role-Based Access Control
Azure
Zero Trust Network Access
Runbook
Security Assertion Markup Language (SAML)
Single Sign-On
Data Logging
Load Balancing
Cloud Platform System
Okta
Large Language Models
AI Platforms
Information Technology
Cloudwatch
Terraform
Devsecops
Pagerduty
Legacy Systems

Job description

PayCargo's platform connects payers and vendors across the cargo and logistics ecosystem, supporting payments, remittance data, integrations, vendor release workflows, and customer-facing digital experiences., The Senior Engineer, Cloud Security is responsible for strengthening and operating PayCargo's security controls across a modernizing platform that spans legacy systems, a multi-account AWS environment, Microsoft Entra ID, GitHub/ZenHub workflows, GitHub Actions pipelines, and a growing set of secure AI platform requirements. This is a senior, hands-on engineering role - not an entry-level or SOC-analyst position - focused on implementing and operating security controls, not only monitoring them.

This is a hands-on individual contributor role on PayCargo's DevSecOps team. The Senior Engineer - Cloud Security continuously monitors the perimeter, hardens cloud and endpoint controls, runs access reviews, supports audits, and leads incident response, turning security obligations into repeatable operational controls rather than one-time checklist items. The role requires strong judgment, strong follow-through, and the ability to reduce reactive fire drills while raising overall control maturity.

The Senior Engineer, Cloud Security partners closely with DevOps, Engineering, Architecture, Product, Compliance, Support, and executive stakeholders to keep PayCargo's global payments platform secure, available, and audit-ready.

This position has no direct reports. The role leads indirectly by setting and enforcing security standards, guiding engineers and DevOps toward secure patterns, and reducing single points of failure across the security function.

As the Senior Engineer, Cloud Security, you will:

Security Operations & Monitoring

  • Monitor the perimeter, cloud, and endpoint environments for threats, misconfigurations, and anomalous activity across AWS and Microsoft Entra ID
  • Operate and tune security tooling, including CrowdStrike, Microsoft Defender, and CloudWatch and SNS logging and alerting
  • Triage security alerts, drive incident response, and lead root cause analysis with clear, durable follow-up
  • Maintain and improve on-call and escalation workflows (e.g., PagerDuty) so security events are handled consistently

Identity, Access & Control Maturity

  • Run periodic access reviews and enforce least privilege across AWS IAM and IAM Identity Center, Microsoft Entra ID, and SaaS platforms
  • Strengthen RBAC/ABAC, MFA, and SSO, SAML2, and OAuth2/OIDC patterns across internal and customer-facing systems
  • Reduce standing access and broad repository or local admin privileges in favor of bounded, auditable access
  • Operate the federated access model, including SAML-based assumed access to AWS (via CommonFate Granted) and GitHub OIDC for pipelines, so people and CI receive least-privilege, time-bound access without static credentials
  • Operate the PKI, including AWS Private CA and ACM, certificate issuance and rotation, CRLs, and mTLS trust stores on load balancers
  • Administer Entra ID groups and the Tailscale ACLs that gate network access
  • Govern dependency and supply-chain risk using Dependabot and approved-package practices, and keep secrets in AWS Secrets Manager and SSM Parameter Store

Compliance & Audit Evidence

  • Support SOC 1 Type 2, SOC 2, and PCI DSS obligations by owning the implementation of controls and the evidence behind them
  • Coordinate penetration testing, remediation tracking, and verification of fixes
  • Produce clean, repeatable audit evidence and reduce last-minute audit scrambles
  • Translate compliance requirements into operational controls engineers can follow without constant guidance

Secure AI Platform Support

  • Help enforce containment for AI and model usage, including stateless model access, whitelisted egress, and approved destinations
  • Support tokenization and PII-protection patterns so sensitive data is not exposed to model providers
  • Review AI-assisted workflows and applications for security boundaries, logging, and blast-radius reduction

Cross-Functional Partnership

  • Partner with DevOps and Engineering to embed security into the Terraform and GitHub Actions pipelines, environments, and deployment paths
  • Work with Compliance on audits and frameworks (SOC, PCI, ISO 27001) and on auditor-facing reporting
  • Advise Product and Architecture on secure-by-design patterns and practical trade-offs
  • Implement and operate the security controls, boundaries, and egress rules defined in the platform architecture owned by the Director of Cloud & AI Platform Architecture
  • Provide clear status, escalate risks early, and document controls, runbooks, and decisions, * Security controls are operational, monitored, and repeatable rather than reactive
  • Access is least-privilege, reviewed, and auditable across cloud and SaaS
  • Audits and penetration tests are supported with clean evidence and timely remediation
  • Incidents are handled with clear response, root cause analysis, and durable fixes
  • AI and platform initiatives ship with security boundaries built in from the start
  • The Senior Engineer - Cloud Security becomes a trusted owner of one or more critical security domains within 90 to 180 days

Requirements

  • 5+ years of hands-on security engineering, cloud security, or security operations experience preferred
  • Strong working knowledge of AWS security and identity services, plus an enterprise identity provider such as Microsoft Entra ID or Okta
  • Hands-on experience with endpoint and threat tooling such as CrowdStrike and Microsoft Defender
  • Practical experience with SOC and/or PCI DSS controls, audits, and evidence
  • Strong understanding of IAM, RBAC/ABAC, MFA, SSO, SAML2, OAuth2/OIDC, JWT, including common failure modes, and least-privilege design
  • Hands-on experience with PKI and certificates, including a certificate authority such as AWS Private CA, TLS and mTLS, and certificate issuance, rotation, and revocation
  • Experience with incident response, logging and alerting, and root cause analysis
  • Ability to convert security and compliance requirements into repeatable operational controls
  • Strong communication and documentation skills, and the ability to influence without direct authority, * Bachelor's degree in Computer Science, Information Technology, Cybersecurity, Engineering, or a related field, or equivalent practical experience
  • 5+ years of hands-on security engineering, cloud security, or security operations experience preferred
  • Demonstrated experience operating production security controls in cloud environments
  • Experience supporting SOC, PCI, or comparable audits and frameworks
  • Payments, fintech, SaaS, or logistics experience is a plus

Preferred Qualifications:

  • Security certifications such as CISSP, CISM, CCSP, or equivalent
  • Experience coordinating penetration testing and managing remediation
  • Familiarity with secure AI/LLM patterns, data tokenization, and egress control
  • Experience securing CI/CD pipelines (GitHub Actions), GitHub/ZenHub, and Terraform-based infrastructure-as-code
  • Experience with zero-trust network access such as Tailscale or Zscaler, and SSO brokers such as CommonFate Granted
  • Experience in payments, fintech, SaaS, or other regulated, high-volume environments
  • Familiarity with ISO 27001 and SaaS security posture management

You Will Likely Succeed If:

  • Have a winning attitude
  • Are naturally curious with an always-learning mentality
  • Treat security as an enabler, not only a gatekeeper
  • Love to solve difficult problems
  • Are assertive, confident, but also humble
  • Speak with clarity and listen with intention
  • Are disciplined with your processes, documentation, and follow-up
  • Can own a problem end to end without constant direction
  • Take ownership of both the security outcome and the business result

Benefits & conditions

Pulled from the full job description

  • Health insurance
  • 401(k) matching, Our compensation package includes a competitive salary and bonus plan.

We care about your wellbeing and personal life. We offer vacation, sick, personal time off policies, a generous 401K match, and strong healthcare benefits.

Your success at PayCargo is determined by the impact that you are making, and how well you collaborate with the various teams that you interact with. Everyone at PayCargo is empowered to take ownership to learn, self-improve, and master their skills in an environment focused on efficiency, collaboration, and purpose.

About the company

Millions of shipments with goods and materials move around the world daily, by land, sea, or air. PayCargo is the world's leading online payment solution that is revolutionizing the shipping and cargo world. With a fast and efficient way to reduce costs associated with payment processing, we help improve the speed and profitability of our customers' businesses.

Apply for this position