Security and Infrastructure Architect
Indexed description
Please Read Apply Now Section Before Applying
About us
We are a B2B hardware/software company building identity-verification and document-processing
technology for regulated industries. We’re a tight, ~20-person, engineering-heavy team pursuing
SOC 2 Type II certification this year. We run on Microsoft Azure, use Microsoft Entra ID for
identity management and Intune for device management, and use Google Workspace for
productivity — with plans to link Google Workspace to Entra in the very near future. We back it
all with a modern security stack (Huntress, SpearTip, Vanta, Aikido, Cloudflare).
About the role
We’re hiring a Senior Microsoft security expert to design, build, and run our security and identity
infrastructure end to end. This is a hands-on architect role for someone who has done exactly
this for other companies and can bring proven patterns rather than learn on ours. You’ll own
everything from Entra and Intune to the office firewall, integrate it all into Vanta for SOC 2, and
work shoulder-to-shoulder with our engineers to bake security into the product. We also want
our security systems designed to take advantage of AI: while solid security fundamentals come
first, we value someone who can creatively apply AI to automate tasks and improve our ability to
detect and respond to threats and vulnerabilities.
What you’ll do
• Architect Microsoft Entra ID: Conditional Access, MFA, PIM with just-in-time elevation,
break-glass accounts, and an admin model with no standing Global Admins on day-to-day
accounts.
• Own Microsoft Intune: secure all laptops and mobile devices — compliance,
configuration, BitLocker, app protection — and build unified onboarding/offboarding.
• Secure Microsoft Azure: RBAC, Defender for Cloud, Key Vault, Azure Policy, and
dev/staging/prod separation.
• Design the office network: firewall hardening, VLAN segmentation, secure remote
access with MFA, IDS/IPS, and centralized logging.
• Secure Google Workspace with Entra: federate identity and enforce consistent MFA
and posture across both ecosystems.
• Run security operations: operate EDR/MDR and identity-threat tooling (Huntress),
manage the SpearTip IR retainer, run incidents and tabletops.
• Drive vulnerability management: track and remediate findings from Defender for Cloud
and Aikido with the engineering team.
• Apply AI to security: creatively use AI to automate routine security tasks and sharpen
threat and vulnerability detection and response across the stack.
• Partner with engineering: secure SDLC, deployment-approval gates, and secrets
management so security is designed in.
• Secure our SaaS apps: Zoho One, Linear, Claude, GitHub and more — SSO, least
privilege, MFA, clean offboarding.
• Own SOC 2 / Vanta: integrate access and audit logs from every system into Vanta, keep
connectors green, and partner with our external SOC 2 advisor through the audit.
What you bring
• A proven history of designing, implementing, and operating Microsoft-centric security
stacks for other companies.
• Deep Entra ID expertise — Conditional Access, PIM/JIT, break-glass, admin tiering,
eliminating standing Global Admin rights.
• Expert-level Intune for endpoint and mobile management.
• Strong Azure security: RBAC, Defender for Cloud, Key Vault, Azure Policy, network
security.
• Hands-on EDR/MDR and incident response — Huntress, SpearTip, SentinelOne,
CrowdStrike, or Defender.
• Vulnerability management with Defender for Cloud and a scanner like Aikido or Snyk.
• Google Workspace administration and federating it with Entra.
• Network/firewall hardening and segmentation.
• SOC 2 evidence experience; Vanta (or Drata/Secureframe) hands-on strongly preferred.
• Solid scripting (PowerShell/Graph, Python, or Bash) and excellent documentation.
Programming skills — including the ability to use AI to generate code — are preferred.
Nice to have
• Experience as the architect or first security hire who built a program from scratch.
• Multi-IdP (Entra + Google Workspace) production experience.
• Certifications: AZ-500, SC-200, SC-300, MS-102, Security+, CISSP, or GIAC.
• Cloudflare Zero Trust device-posture deployment.
What’s in it for you
• A foundational, high-autonomy role with direct CEO visibility and real budget authority for
the security stack.
• A greenfield mandate design it the right way, with proven patterns, instead of inheriting
tech debt.
• A modern, well-funded toolset; you won’t be duct-taping a legacy stack.
• Competitive base salary of $120,000 - $140,000 commensurate with experience, plus full medical/dental/vision,
generous 401(k) match, PTO, and an annual budget for certifications and training.
• Possible hybrid work 3 days/week on site in the Metro NY area.
Apply Now
If you have what it takes to design and run a best-in-class security and identity infrastructure,
you are encouraged to apply today.
Please upload your resume here. Then click on this link to complete an application, a 15-minute screening test (https://www.ondemandassessment.com/o/JB-VAPU9Q60I/landing?u=1187681), and upload your resume. Applicants who do not use the link will not be able to
submit a resume.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search