Security and Infrastructure Architect

About the job

Please Read Apply Now Section Before Applying

About us

We are a B2B hardware/software company building identity-verification and document-processing

technology for regulated industries. We’re a tight, ~20-person, engineering-heavy team pursuing

SOC 2 Type II certification this year. We run on Microsoft Azure, use Microsoft Entra ID for

identity management and Intune for device management, and use Google Workspace for

productivity — with plans to link Google Workspace to Entra in the very near future. We back it

all with a modern security stack (Huntress, SpearTip, Vanta, Aikido, Cloudflare).

About the role

We’re hiring a Senior Microsoft security expert to design, build, and run our security and identity

infrastructure end to end. This is a hands-on architect role for someone who has done exactly

this for other companies and can bring proven patterns rather than learn on ours. You’ll own

everything from Entra and Intune to the office firewall, integrate it all into Vanta for SOC 2, and

work shoulder-to-shoulder with our engineers to bake security into the product. We also want

our security systems designed to take advantage of AI: while solid security fundamentals come

first, we value someone who can creatively apply AI to automate tasks and improve our ability to

detect and respond to threats and vulnerabilities.

What you’ll do

• Architect Microsoft Entra ID: Conditional Access, MFA, PIM with just-in-time elevation,

break-glass accounts, and an admin model with no standing Global Admins on day-to-day

accounts.

• Own Microsoft Intune: secure all laptops and mobile devices — compliance,

configuration, BitLocker, app protection — and build unified onboarding/offboarding.

• Secure Microsoft Azure: RBAC, Defender for Cloud, Key Vault, Azure Policy, and

dev/staging/prod separation.

• Design the office network: firewall hardening, VLAN segmentation, secure remote

access with MFA, IDS/IPS, and centralized logging.

• Secure Google Workspace with Entra: federate identity and enforce consistent MFA

and posture across both ecosystems.

• Run security operations: operate EDR/MDR and identity-threat tooling (Huntress),

manage the SpearTip IR retainer, run incidents and tabletops.

• Drive vulnerability management: track and remediate findings from Defender for Cloud

and Aikido with the engineering team.

• Apply AI to security: creatively use AI to automate routine security tasks and sharpen

threat and vulnerability detection and response across the stack.

• Partner with engineering: secure SDLC, deployment-approval gates, and secrets

management so security is designed in.

• Secure our SaaS apps: Zoho One, Linear, Claude, GitHub and more — SSO, least

privilege, MFA, clean offboarding.

• Own SOC 2 / Vanta: integrate access and audit logs from every system into Vanta, keep

connectors green, and partner with our external SOC 2 advisor through the audit.

What you bring

• A proven history of designing, implementing, and operating Microsoft-centric security

stacks for other companies.

• Deep Entra ID expertise — Conditional Access, PIM/JIT, break-glass, admin tiering,

eliminating standing Global Admin rights.

• Expert-level Intune for endpoint and mobile management.
• Strong Azure security: RBAC, Defender for Cloud, Key Vault, Azure Policy, network

security.

• Hands-on EDR/MDR and incident response — Huntress, SpearTip, SentinelOne,

CrowdStrike, or Defender.

• Vulnerability management with Defender for Cloud and a scanner like Aikido or Snyk.
• Google Workspace administration and federating it with Entra.
• Network/firewall hardening and segmentation.
• SOC 2 evidence experience; Vanta (or Drata/Secureframe) hands-on strongly preferred.
• Solid scripting (PowerShell/Graph, Python, or Bash) and excellent documentation.

Programming skills — including the ability to use AI to generate code — are preferred.

Nice to have

• Experience as the architect or first security hire who built a program from scratch.
• Multi-IdP (Entra + Google Workspace) production experience.
• Certifications: AZ-500, SC-200, SC-300, MS-102, Security+, CISSP, or GIAC.
• Cloudflare Zero Trust device-posture deployment.

What’s in it for you

• A foundational, high-autonomy role with direct CEO visibility and real budget authority for

the security stack.

• A greenfield mandate design it the right way, with proven patterns, instead of inheriting

tech debt.

• A modern, well-funded toolset; you won’t be duct-taping a legacy stack.
• Competitive base salary commensurate with experience, plus full medical/dental/vision,

generous 401(k) match, PTO, and an annual budget for certifications and training.

• Possible hybrid work 3 days/week on site in the Metro NY area.

Apply Now

If you have what it takes to design and run a best-in-class security and identity infrastructure,

you are encouraged to apply today.

Please upload your resume here. Then click on this link to complete an application, a 15-minute screening test (https://www.ondemandassessment.com/o/JB-VAPU9Q60I/landing?u=1187681), and upload your resume. Applicants who do not use the link will not be able to

submit a resume.

Pay: $110,000.00 - $130,000.00 per year

Benefits:

• 401(k) matching
• Dental insurance
• Health insurance
• Paid time off

Work Location: Hybrid remote in Bronxville, NY 10708