Cloud Security Engineer

Cloud Security Engineer

At Opendoor our goal is to build the biggest, most trusted housing platform and set a new standard for how people move. We've combined our deep, proprietary data and operational expertise with the power of artificial intelligence to make online home selling and buying radically simple.

Our Security Engineering team is building intelligent systems that protect Opendoor and our customers while enabling unprecedented engineering velocity. We apply software engineering and AI to solve security problems across product, infrastructure, and operations by building guardrails where they matter, not gates where they don't.

As our Cloud Security Engineer, you'll own the security of the infrastructure that runs Opendoor—multi-account AWS, EKS, the IAM and identity plane connecting Okta to every system, and the cloud workloads that handle home acquisition, resale, mortgage, title, and escrow. You'll inherit a recently-completed EKS migration, an in-progress CSPM/CNAPP replacement, and a zero-trust roadmap waiting for a technical owner.

Own the security architecture of our AWS estate—across multiple accounts, EKS clusters, Terraform-managed infrastructure, and the IAM plane that ties everything together.

Manage and optimize our CNAPP and CSPM cloud security tooling, ensuring platforms are effectively integrated into engineering workflows to drive the automated remediation of infrastructure risks.

Modernize our secure access strategy by deploying Zero Trust principles—integrating device trust and identity-aware proxies—to provide seamless, least-privileged access to internal infrastructure.

Harden our EKS environment—RBAC, admission policies, workload identity, runtime protection, image signing, and base-image strategy on top of our Bottlerocket + Karpenter foundation.

Build new agentic detection-and-response workflows using Lambda + AWS-native primitives that close the loop from alert to investigation to remediation.

Drive a 'Shift-Left' cloud security strategy within our pipelines using Terraform/Terrakube, GitHub Actions, ECR—so that misconfigurations get caught at PR time, not in a CSPM dashboard a week later.

Partner with the Infrastructure team on cloud-native security decisions: VPC architecture, ingress, secrets management (Vault), service identity, and how Okta extends into AWS, Azure, and GCP.

Run our cloud detection engineering: GuardDuty, Security Hub, CloudTrail, VPC flow logs—tuned for signal, integrated with Datadog and our incident response playbooks.

Support cloud security for our subsidiaries (OS National, Mainstay Title) including Azure + Windows AD environments, with adversarial review of the systems that touch wire fraud risk.

Set the bar for what 'secure by default' looks like for AI-maximalist engineering—vibe-coded apps, MCP servers, and agent-driven workflows that touch production cloud infrastructure.

Mentor engineers across Security, Infra, and Product Eng on cloud security patterns, and turn the patterns you see into automated guardrails so the next team doesn't make the same mistake.

Cloud: AWS, Azure, GCP

Containers / Orchestration: EKS, Bottlerocket, Karpenter, Helm, Argo CD

IaC: Terraform, Terrakube (self-hosted)

Identity & Access: Okta, Duo, AWS Identity Center, Okta-OIDC for EKS, Platform SSO (macOS), Hashicorp Vault

Cloud Security: GuardDuty, Security Hub, CloudTrail, GitHub Advanced Security; CSPM/CNAPP replacement in flight (Wiz, Datadog Cloud Security, CrowdStrike Falcon Cloud Security under eval)

Detection / Observability: Datadog (security + observability), Cribl, CloudTrail, S3 archive

Languages: Go, Python, TypeScript, Ruby, HCL

AI Tooling: Claude, OpenAI, Claude Code, Runlayer MCP, custom agent frameworks—used heavily for alert triage, IaC review, and remediation drafting

Deep conviction that AI and automation should eliminate manual work humans shouldn't be doing anyway. You're excited to replace ticket toil and manual cloud config review with automated systems, IaC guardrails, and agents.

Business enablement security mindset—you measure success by business impact and informed risk-taking, not by tickets opened or compliance checklists completed.

5+ years of cloud or infrastructure security experience, with deep AWS expertise (Azure and GCP a plus). You can read a CloudTrail event, write a service control policy, and explain why a particular IAM trust policy is dangerous, in the same conversation.

Strong skills in at least one of Go, Python, or TypeScript, with the ability to read and write Terraform and shell. You are a builder.

Hands-on Kubernetes security experience—RBAC, network policies, admission control, workload identity, image and supply-chain security. EKS specifically is a plus.

Experience deploying and operating CSPM, CNAPP, or CWPP tooling (Wiz, Prisma, Orca, Datadog, CrowdStrike Falcon Cloud, Lacework, or equivalent)—and a point of view on what good looks like vs. what's noise.

Identity-first security mindset—IAM, OIDC, SAML, federation, secrets management—and the ability to design least-privilege access at scale.

Humility and genuine curiosity—you're as excited to learn from product and infra engineers and enable their work as you are to write detections or design guardrails.

Experience designing or operating Zero Trust Network Access (Cloudflare Access, Tailscale, Twingate, Google BeyondCorp, etc.)

Detection engineering background—writing detections that actually fire on real attacker behavior without burying the team in noise.

Experience securing AI/ML pipelines, agent frameworks, or MCP-style integrations that touch production data.

Familiarity with SOC 2, SOX, or other compliance frameworks in cloud environments—and an instinct for when compliance work creates real security value vs. when it doesn't.

Open-source contributions to cloud security tooling (Cartography, Prowler, ScoutSuite, Falco, Kyverno/OPA, Checkov, etc.)

We also offer a comprehensive package of benefits including unlimited PTO, medical/dental/vision insurance, life insurance, and 401(k) to eligible employees.