DevOps Security Engineer - Blockdaemon

We are looking for a hands-on DevOps Security Engineer who will help security our posture throughout the software delivery lifecycle — from the first line of code to production deployment and beyond.

Our stack is complex. We ship frequently across multiple services running on containerized, cloud-native infrastructure managed entirely as code. Every release needs to be hardened before it reaches customers, and every pipeline needs to enforce that standard automatically. Your job is to make sure that happens — and to build the systems that make it repeatable, auditable, and fast.

Vulnerability Analysis & Release Security

• Conduct deep-dive vulnerability and security reviews of all software releases before they reach production. This includes manual code review of high-risk changes alongside automated scanning output triage.
• Own the pre-shipment security gate process: define pass/fail criteria, enforce them in CI/CD, and be the escalation point when a release is blocked on a security finding.
• Triage and classify vulnerabilities from SAST, DAST, SCA, and container scanning tools. Distinguish real risk from noise, prioritize remediation, and work directly with engineering teams to drive fixes — or write the patches yourself.
• Maintain and continuously improve a vulnerability management program with clear SLAs for remediation by severity.

Pipeline & Automation Engineering

• Own and continuously improve the automated security tooling already integrated into our CI/CD pipelines .This means tuning rule sets to reduce false positives, expanding coverage as the stack evolves, optimizing scan performance so pipelines stay fast, and ensuring engineers trust the results enough to act on them without escalation.
• Build and maintain custom security automation — policy-as-code enforcement, secrets detection, dependency vulnerability scanning, image signing and verification — using Python, Go, or Bash.
• Develop and operate security-focused pipeline stages: static analysis, software composition analysis, dynamic testing against staging environments, infrastructure-as-code validation, and container image scanning.
• Automate the boring parts. If a security fix can be scripted and applied at scale across repositories, you write that script.

Infrastructure & Cloud Security

• Audit the full infrastructure-as-code (IaC) stack — Terraform, CloudFormation, Helm charts, Kubernetes manifests — for misconfigurations, policy violations, and drift from security baselines.
• Define and enforce cloud security policies across AWS, Azure, or GCP environments using tools like Open Policy Agent (OPA), Checkov, tfsec, or equivalent.
• Harden container orchestration environments: RBAC policies, network policies, pod security standards, runtime threat detection, and supply chain integrity for container images.
• Collaborate with platform/infrastructure teams to ensure logging, monitoring, and alerting are sufficient for incident detection and forensic investigation.

Security Culture & Shift-Left Enablement

• Be the engineering team's security partner, not their bottleneck. Provide developers with self-service tooling, clear documentation, and fast feedback loops so they can catch and fix issues before code review.
• Build and maintain internal security guardrails: pre-commit hooks, IDE integrations, approved base images, hardened CI templates, and reusable secure-by-default modules.
• Run targeted threat modeling sessions for high-risk features and architectural changes.
• Contribute to internal security standards, runbooks, and incident response playbooks rooted in real-world scenarios from your own findings.

Role Requirements

• 3–5+ years in a combined DevOps / Security Engineering / DevSecOps role where you were building and operating, not just recommending.
• CI/CD pipeline engineering: Deep, hands-on experience with at least one of Jenkins, GitLab CI, or GitHub Actions — including writing custom plugins, shared libraries, or reusable workflow templates.
• Security tooling integration: Production experience implementing and tuning SAST (e.g., SonarQube, Semgrep, CodeQL), DAST (e.g., OWASP ZAP, Burp Suite), and SCA (e.g., Snyk, Dependabot, Grype) tools within automated pipelines.
• Cloud security: Proven ability to secure production workloads on at least one major cloud provider (AWS, Azure, or GCP). You understand IAM policies, network segmentation, encryption-at-rest/in-transit, and cloud-native security services at an implementation level — not just a whiteboard level.
• Container & orchestration security: Hands-on experience securing Docker and Kubernetes environments — image scanning, runtime security (Falco, Sysdig, or similar), admission controllers, network policies, and supply chain security (signing, SBOMs).
• Infrastructure as Code: Proficiency with Terraform, CloudFormation, or Pulumi, combined with experience auditing IaC for security misconfigurations using policy-as-code frameworks (OPA/Rego, Sentinel, Checkov).
• Scripting & automation: Strong coding ability in Python, Go, or Bash — sufficient to build custom tooling, write security automation, and contribute patches to application code when needed.
• Vulnerability management: Experience running or significantly contributing to a vulnerability management program — triage, SLA enforcement, risk-based prioritization, and metrics reporting.
• Solid fundamentals: Strong understanding of OWASP Top 10, CWE/CVE ecosystems, secrets management (Vault, AWS Secrets Manager), TLS/mTLS, and common attack vectors against web applications and APIs.

Nice to have Skills

• Experience with compliance-as-code frameworks and automating evidence collection for SOC 2, ISO 27001, FedRAMP, or PCI-DSS audits.
• Familiarity with eBPF-based security observability tools or kernel-level runtime security.
• Background in penetration testing or red team exercises, particularly against cloud-native infrastructure.
• Experience building or operating a software supply chain security program (SLSA framework, Sigstore/Cosign, in-toto attestations, SBOM generation and consumption).
• Knowledge of GitOps workflows (ArgoCD, Flux) and securing the GitOps delivery model.
• Contributions to open-source security tooling or published security research.
• Relevant certifications such as CKS (Certified Kubernetes Security Specialist), AWS Security Specialty, OSCP, or GIAC certifications — valued as evidence of depth, not as a checkbox.

This role is for someone who thinks in terms of attack surfaces and blast radius, who automates by instinct, and who measures their success by the security issues that never make it to production. If your idea of a good day is shipping a pipeline change that eliminates an entire class of vulnerability across every repo in the organization — we want to talk to you.

About Us:

We Power the Blockchain economy.

Blockdaemon powers the blockchain economy with its suite of industry-leading
infrastructure solutions. We are a globally established, ISO-27001 certified partner with extensive protocol coverage, offering technical depth, industry-leading SLAs, 70+ global points of presence through 10+ cloud and bare metal providers, and 24/7 support for an unmatched institutional-grade experience. We provide integrated business solutions to exchanges, custodians, crypto platforms, financial institutions, and developers using our end-to-end suite of blockchain tools, including dedicated nodes, APIs, staking, liquid staking, MPC tech, and more. Blockdaemon provides its customers with the confidence to quickly and easily scale without compromising security or compliance.

We are a globally distributed team.

Blockdaemon is an Equal Opportunity Employer.