Lead Security Engineer
Quick Summary
EDR, kernel telemetry, hardening, and baseline implementation across the fleet. Own identity and access — AuthN/AuthZ, RBAC, and service identity — grounded in OIDC, SAML, and mTLS.
Alembic is the pioneering Causal AI platform. We help the world's largest enterprises move past correlation to prove what actually drives business outcomes — the question marketing and growth teams have never been able to answer with confidence. Fortune 100 companies including Nvidia, Delta Air Lines, and Mars use Alembic to make multimillion-dollar decisions on trusted, causal evidence.
We're backed by a $145M Series B from WndrCo (founded by Jeffrey Katzenberg), Jensen Huang, Joe Montana, Prysm Capital, and Accenture. Our models run on our own NVIDIA DGX SuperPOD built on Grace Blackwell infrastructure — one of the fastest private supercomputers in the world. (We've melted GPUs getting here.)
About the Role
~1 min readWe're looking for a lead-level Security Engineer and Architect to own system, network, and host security end-to-end for a rapidly growing on-prem, Kubernetes-based AI factory. This is a hands-on, high-impact role reporting directly to our CTO/CISO and working side-by-side with Technical Operations, Corp IT, Platform Engineering, and our scientific teams. It's not a compliance seat that exists to satisfy published controls — it's the chance to shape our security posture from the ground up, secure high-value client data, and build the team and tooling to do it.
Two things make this role distinctive. First, Alembic is "Default to Open" by design: security here must respect that maximum information sharing is basic to how we operate, while still protecting customer data and the IP — patents and trade secrets — our applied-science work generates. Balancing those is the core intellectual challenge of the job. Second, we're an AI-first company that uses many kinds of AI across everything we do; deciding which AIs operate in which containers is one of the more interesting problems you'll own.
Responsibilities
~1 min read- →
Design and implement security controls across all environments — network segmentation and firewalling, IDS/IPS, and traffic analysis on our on-prem Kubernetes platform.
- →
Build and enforce host security: EDR, kernel telemetry, hardening, and baseline implementation across the fleet.
- →
Own identity and access — AuthN/AuthZ, RBAC, and service identity — grounded in OIDC, SAML, and mTLS.
- →
Stand up incident-detection pipelines (SIEM, metrics, endpoint telemetry) tuned to surface high-signal threats over noise, and lead incident response end to end: triage, containment, recovery, root-cause analysis, and forensics.
- →
Keep the focus on enablement over restriction — effective security, not compliance for its own sake — while balancing IP protection, customer-data protection, and broad internal information sharing.
- →
Partner with Legal and the CISO to obtain the compliance certifications we need and to answer customer questions about the security of our systems; hire and mentor as the security function grows.
8+ years in security engineering, infrastructure, or related roles.
Strong Linux system security and networking (SSH certificates, directory-based authentication) and strong Kubernetes security (RBAC, tenant isolation, admission control).
Real experience securing on-prem environments, not only public cloud.
A proven track record leading real-world incidents, with familiarity with attacker techniques (lateral movement, persistence, exfiltration) and hands-on depth in EDR, IDS/IPS, and SIEM.
Strong command of OIDC, SAML, mTLS, and cryptography-based storage security.
Comfort writing code, automation, and tooling in Python or similar, plus configuration management via IaC (Terraform, Ansible).
The judgment to distinguish high-signal threats from noise, make pragmatic tradeoffs in a fast-moving company, and communicate effectively with technical stakeholders.
Nice to have: high-performance or distributed-compute experience (HPC, GPU clusters); identity-aware proxies or zero-trust architectures; offensive security (red teaming, exploit development); secure application development and secure-code training; responsible-disclosure/bug-bounty programs; AI controls, MCP security, agent security, and AI governance; and a background in corporate IT security.
You want to shape a security posture from first principles rather than administer someone else's control framework — and you see "Default to Open" as a design constraint worth solving, not a threat to route around.
You'd rather be in the terminal doing root-cause analysis and building detection pipelines than managing them from a slide deck, and you want to build the team around you as scope grows.
You want a compliance-first role focused on satisfying published controls — this job is about effective security and enablement, and treats certifications as a byproduct, not the point.
You need a fully built-out program, tooling, and process to step into, rather than the mandate to define them.
You're uncomfortable with "Default to Open" — if your instinct is to lock everything down by default, the constant balance of IP protection, customer-data protection, and broad internal sharing will feel like friction rather than the interesting part.
You prefer static over dynamic — priorities and scope shift as we grow. We have real paying customers and a playbook, and we still move at startup speed at Series B scale.
Location & Eligibility
Listing Details
- Posted
- July 1, 2026
- First seen
- July 1, 2026
- Last seen
- July 1, 2026
Posting Health
- Days active
- 0
- Repost count
- 0
- Trust Level
- 63%
- Scored at
- July 1, 2026
Signal breakdown
Please let alembic know you found this job on Jobera.
Similar Security Engineer jobs
View all →Browse Similar Jobs
Stay ahead of the market
Get the latest job openings, salary trends, and hiring insights delivered to your inbox every week.
No spam. Unsubscribe at any time.