Cloud Security Engineer

About the company

Braintrust is the AI observability platform. By connecting evals and observability in one workflow, Braintrust gives builders the visibility to understand how AI behaves in production and the tools to improve it.

Teams at Notion, Stripe, Zapier, Vercel, and Ramp use Braintrust to compare models, test prompts, and catch regressions — turning production data into better AI with every release.

About the role

We're looking for a hands-on Cloud Security Engineer to own the security posture of our multi-cloud infrastructure and customer hosted data planes. You'll work across AWS, Azure, and GCP, harden our Kubernetes and Terraform stack, and keep the platform secure without slowing engineering down.

This is a senior IC role. You'll write code, build paved-road controls, ship detections, and partner with customers on deployment. If you're excited to use agentic coding tools to operate at the pace of a much larger team, we'd love to work with you.

What you'll do

• Own the security architecture for our internal AWS environment and the customer-deployed stacks running in AWS, Azure, and GCP

• Write Terraform modules and policy code that make the secure path the default path for every team shipping infra

• Harden our Kubernetes footprint: admission controllers, network policies, workload identity, runtime detections, secrets handling

• Build and tune detections across cloud control planes, identity providers, and workload telemetry; own the alert pipeline end-to-end and keep signal-to-noise high

• Help run incident response when something fires, and turn every incident into durable controls and codified runbooks

• Help push cloud compliance initiatives.

• Partner with customers in Slack on self-hosting, network architecture, key management, and tenancy questions

• Use agentic coding workflows to automate the repeatable parts of security work: control validation, evidence collection, drift detection, and IR triage

Ideal candidate credentials

• 5+ years in cloud security, infrastructure security, or security engineering with a heavy hands-on bent — you ship code and configuration, not just policy

• Deep AWS expertise (IAM, VPC, KMS, GuardDuty, CloudTrail) and working fluency in at least one of Azure or GCP

• Strong Terraform skills and a track record of making security guardrails the default in IaC pipelines

• Production Kubernetes security experience: you've run admission controllers, debugged a cluster compromise, or written a network policy that mattered

• Proficient in modern backend technologies and comfortable writing real code in Python, TypeScript, or Go

• Production incident response experience; you've owned a real incident end-to-end and made the next one less painful

• Familiarity with one or more compliance regimes (SOC 2, ISO 27001, HIPAA, FedRAMP) and the discipline to make them work without becoming busywork

• Active user of agentic coding tools, with a clear point of view on how AI is changing security engineering — both offense and defense

• Bonus: experience securing self-hosted enterprise software, multi-tenant SaaS, or LLM-heavy workloads (data exfiltration via prompts, model proxy abuse, agent sandboxing)

Benefits include

• Medical, dental, and vision insurance

• Daily lunch, snacks, and beverages

• Flexible time off

• Competitive salary and equity

• AI Stipend

Equal opportunity

Braintrust is an equal opportunity employer. All applicants will be considered for employment without attention to race, color, religion, sex, sexual orientation, gender identity, national origin, veteran or disability status.