Member of Technical Staff, Security/DevSecOps

Envoy is seeking an experienced Cloud Security / DevSecOps Engineer to enhance the security of its rapidly scaling AWS cloud environment. The role involves designing and implementing AWS security controls, integrating automated security guardrails into CI/CD pipelines, and championing secure infrastructure practices. The engineer will also leverage AI tools for security automation, conduct threat modeling, and automate compliance reporting. This position requires a passion for enabling secure cloud engineering and collaborating with other teams to embed security early in the development lifecycle.

Must Have

• Design and enhance AWS security controls and manage native services.
• Integrate automated security guardrails into CI/CD pipelines.
• Leverage AI for security automation and vulnerability assessments.
• Conduct threat modeling and risk assessments.
• Automate security compliance reporting using IaC and policy-as-code.
• Secure AWS workloads, multi-account architectures, and VPC design.
• Apply deep knowledge of IAM policy design and least-privilege enforcement.
• Harden container images and Kubernetes/EKS clusters.
• Possess strong scripting skills in Python, Go, or similar.

Good to Have

• Autonomous and highly organized.
• Passion for enabling secure cloud engineering without hindering developer velocity.
• Intellectually curious about new cloud security tooling and best practices.
• Ability to translate complex security topics for diverse stakeholders.
• Desire to learn Terraform and implement IaC security scans.

Perks & Benefits

• High degree of trust in ideas and execution.
• Opportunity to partner and collaborate with talented people.
• Inclusive community.
• Ability to make an immediate impact helping customers.
• Support for personal and professional growth.
• Access to cutting-edge AI tools and platforms.
• Market-competitive salary.
• Equity for all full-time roles.
• Excellent benefits.

Envoy builds workspace management technology that makes it simple to run secure, compliant, and connected workplaces across every location. Over 16,000 workplaces and properties around the world rely on Envoy to create great experiences for employees and visitors while meeting safety, security, and compliance needs at scale. From corporate headquarters and labs to manufacturing sites, Envoy powers the places where people work best together.

Learn more at envoy.com

This is an L3 opportunity. Successful candidates often come from senior engineering roles and are experienced in leading complex projects, mentoring peers, and making architectural contributions across teams.

About the role

Envoy’s engineering organization is scaling rapidly in the cloud. We are looking for an experienced Cloud Security / DevSecOps Engineer to harden our AWS environments, embed security into our CI/CD pipelines, and champion secure-by-default infrastructure practices.

We are looking for exceptional engineers to join our growing team at Envoy. We love to drive innovation in the workplace through hack projects. If you’re looking to challenge the status quo and build the Office OS. Come join us.

This onsite position requires 4 days a week (Monday-Thursday) in our San Francisco HQ office.

You will

• Design and enhance AWS security controls (IAM, VPC, Security Groups, S3, RDS, Lambda) while deploying and managing native services (GuardDuty, Security Hub, Config, CloudTrail, IAM Access Analyzer) for ongoing detection and compliance.
• Integrate automated security guardrails into CI/CD pipelines (GitHub Actions) for IaC, container images, and serverless deployments.
• Leverage and pioneer AI tools (ChatGPT, Claude, GitHub Copilot, etc.) to automate routine security tasks, generate infrastructure code, analyze threat patterns, streamline compliance reporting, accelerate vulnerability assessments, and optimize overall security automation and productivity.
• Conduct threat modeling and risk assessments (STRIDE or other models) to identify gaps and prioritize mitigations.
• Automate security compliance reporting against frameworks such as CIS Benchmarks and NIST 800‑53 using IaC and policy‑as‑code (e.g., Open Policy Agent).
• Collaborate with infrastructure and product engineering teams to embed security early and unblock delivery velocity.

You are

• Autonomous and highly organized, thriving in a fast‑moving environment.
• Passionate about enabling secure cloud engineering without blocking developer velocity.
• Intellectually curious, always experimenting with new cloud security tooling and best practices.
• A clear, concise communicator who can translate complex security topics for diverse stakeholders.

You have

• Hands‑on expertise securing AWS workloads, multi‑account architectures, and VPC design.
• 5+ Years of Experience
• Deep knowledge of IAM policy design, role‑based access control, and least‑privilege enforcement.
• Experience hardening container images and Kubernetes/EKS clusters, plus familiarity with container runtime security.
• Strong scripting skills in Python, Go, or similar for automation and tooling integration.
• Experience performing security risk assessments and threat modeling for new services.
• Familiarity with AWS security tooling (GuardDuty, Config, Security Hub, Macie, Access Analyzer).
• Excellent written and verbal communication skills and the ability to educate engineers on secure practices.
• A desire to learn Terraform and implement IaC security scans in CI/CD.

You'll get

• A high degree of trust in your ideas and execution
• An opportunity to partner and collaborate with other talented people
• An inclusive community where you feel welcomed and cared for as a person
• The ability to make an immediate impact helping customers create a great workplace experience
• Support for your personal and professional growth
• Access to cutting-edge AI tools and platforms, with encouragement to experiment and implement AI solutions in your daily work

If you have any questions related to compensation, please contact Recruiting after you apply.

#LI-Hybrid

By applying for this position, you acknowledge that you have fully read and understand the job requirements and received the Envoy Privacy Notice for applicants, which is linked here_

. Completing this application requires you to provide personal data, such as your name and contact information, which is mandatory for Envoy to process your application. Envoy is an EEO Employer and does not discriminate on the basis of any characteristic protected by local, state or federal law.

Apply for this Job

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.