Platform Security Engineer

We are looking for a Platform Security Engineer to join our Platform team and own the technical security of our live infrastructure end-to-end. You will set the hardening baseline, lead vulnerability and penetration testing, drive disaster recovery readiness, and translate regulatory requirements into technical controls that hold up under audit. This is a hands-on, high-ownership role with direct impact on how securely we operate and grow.

Key Responsibilities:

• Define and maintain security hardening baselines for Azure tenants, codify security guardrails for the Avarda Azure tenant including: landing zones, secure-by-design patterns, networks segmentation, security policy. Vulnerability scan for public products domains.

• Define and maintain on-prem security hardening baselines: Server hardening, network segmentation and integration with Azure, identity security baselines, and produce compliance reports.

• Lead pen/penetration testing technically: scope tests, triage findings, drive remediation, and report on progress.

• Own the vulnerability management end-to-end: tooling, integration, prioritization, remediation tracking, reporting.

• Own response to security alerts and incidents raised by supplier (like TRUESEC, BaffinBay), Microsoft Defender, and other detection sources — triage, lead remediation across infrastructure, and close the loop with the SOC and CISO function. Collaborate with supplier to evaluate and improve monitoring, alerting, and protection capabilities across security platforms.

• Own the continuous security improvement backlog for our infra. — drive Azure Secure Score uplift, drive on-prem infra. Security improvement.

• Drive Disaster Recovery technical readiness: draft, test, and maintain DR plans alongside system owners and CISO function.

• Drive DevSecOps initiatives across CI/CD and software supply chain security, including security scanning, dependency/vulnerability detection, secrets management, and pipeline hardening. Serve as a security partner for developers and promote secure engineering practices.

• Compliance technical execution at infrastructure level: ISO 27001 / NIST CSF mapping, technical evidence and responses for internal and external audits.

• Technical risk assessments for new infrastructure tooling, significant architectural changes, and vendor onboarding that touches infrastructure.

Qualifications and Experience:

• 5+ years in infrastructure security, platform security engineering, or security architecture roles spanning both cloud and on-prem environments.

• Deep, current Azure security expertise — Defender for Cloud, Microsoft Sentinel, Azure Policy, Entra ID, PIM, etc.

• On-prem infrastructure security: Server hardening, network segmentation, certificate management.

• Vulnerability management at scale: tooling, prioritization frameworks, working with system owners to close findings.

• Penetration test coordination: scoping, technical triage, remediation tracking. Hands-on with continuous testing platforms (Pentera or similar) appreciated.

• Disaster recovery: drafting plans, running tests, working with system owners.

• Compliance fluency: hands-on experience mapping ISO 27001 or NIST controls to technical infrastructure implementations and supporting external audits.

• DevSecOps fluency: shift-left scanning, secrets management, policy as code.

• Threat modelling at architecture level (STRIDE or equivalent, applied in practice).

• Comfortable communicating with engineers, risk and compliance teams, and external auditors.

• Builds rather than gatekeeps — ships secure tooling other engineers want to use, rather than policy documents they ignore.

• Comfortable with multiple stakeholders.

• Pragmatic over perfect — accepts that security wins by being adopted, not by being theoretically ideal.

• English — professional working proficiency in writing and speaking (required).

• Bachelor's degree in Computer Science, Software Engineering, or a related technical field.