Staff Security Engineer

Total Compensation: $190-$210 annually

Location: Scottsdale, AZ

Workplace Setting: Fully Onsite

Position Summary

The Staff Infrastructure & Security Engineer is the sole technical owner of all cloud infrastructure,
cybersecurity, identity, endpoint operations, and DevOps platform engineering for a 240-person business
management consultancy operating a large-scale Azure and Microsoft Fabric environment. This role reports
to the IT Director and is accountable for the end-to-end buildout, hardening, and operational excellence of
every infrastructure and security workstream on the 2026 roadmap.

This includes SIEM deployment and zero-trust identity, disaster recovery, cloud cost optimization, and the
CI/CD and hosting infrastructure powering our proprietary AI platform, the Hub — a multi-tenant “Super App”
serving internal teams and external clients across multiple verticals, with a suite of AI-driven applications
(Trainer, SalesIQ, Jarvis, Knowledge, Momentum, Dashboards, Blueprints, Capture) shipping at high velocity
across web and mobile.

This is not a maintenance role: it is a greenfield buildout of enterprise-grade infrastructure, security posture,
and developer platform across 80+ SharePoint sites, multiple Fabric Lakehouses, a growing multi-tenant
client ecosystem, and a product engineering organization that needs world-class deployment and
observability tooling.

This role requires an AI-native engineer

• LLM fluency is a hard requirement — not a preference. The throughput expected of this role
  assumes active, daily use of AI tooling to achieve what typically requires a multi-person team.
• Claude AI (Anthropic) is provided and expected to be used for IaC authoring, detection rule
  development, runbook creation, policy generation, log analysis, and automation scripting.
• Engineers who embrace AI as a force multiplier will thrive here. Those who don’t will struggle to
  keep pace with the scope.

What Success Looks Like

• SIEM Operational
• Within 6 months
• Tuned alerting, active connectors, and initial SOAR
  playbooks live. Mean-time-to-detect under 30 minutes
  for critical events.

Hub CI/CD

• 50%+ cycle time reduction
• Zero-downtime deployments and sub-5-minute
• rollback fully operational within the first 6 months.

Hub Platform Uptime

• 99.9% SLA
• Proactive alerting that surfaces degradation before end users or clients report it.

Endpoint Compliance

• 100% fleet by end of Q3
• Full Intune compliance across 240+ Windows and Mac
  endpoints with hardened baselines, automated
  patching, and DLP enforced.

Disaster Recovery

• Validated by end of Q3
• Immutable backups, documented runbooks, and a
  successful DR drill with measured RTO. Quarterly
  tests sustained thereafter.

Identity & Access

• Within 6 months
• MFA hardened, PIM enforced for all privileged roles,
  CA policies cleaned up and documented, first
  company-wide access review complete.

Azure Cost Reduction

• 15%+ savings
• Right-sizing, tagging enforcement, and cost
  optimization — while simultaneously improving
  reliability metrics.

Penetration Test

• H2 — zero unresolved criticals
• Pass external pen test with no critical or high-severity
  findings unresolved beyond agreed SLAs.

Objectives

Hub Platform & DevOps

• Design, build, and maintain CI/CD pipelines for the Hub platform and its application suite (Trainer,
  SalesIQ, Jarvis, Knowledge, Momentum, Dashboards, Blueprints, Capture), enabling multiple
  production deployments per day with automated testing, security scanning, and rollback.
• Own the Hub’s Azure hosting infrastructure — container orchestration, environment management
  (dev/staging/production), auto-scaling, and performance optimization across web and mobile delivery
  surfaces.
• Implement and maintain full-stack observability across the Hub — APM, distributed tracing, structured
  logging, and real-time alerting — ensuring engineering and product teams have complete visibility into
  system health, latency, and error rates.
• Build and manage infrastructure supporting the Hub’s multi-tenant architecture: data isolation, per-client
  performance SLAs, and secure deployment patterns across internal teams, client verticals (Roofing,
  Home Services), and event deployments.
• Partner with engineering to define and enforce deployment standards, branching strategies,
  environment promotion workflows, and infrastructure requirements for new launches including mobile
  releases, voice mode, telephony integrations, and AI agent capabilities (Dawson AI, Jarvis).

Cloud Infrastructure & IaC

• Architect and enforce Infrastructure-as-Code standards (Terraform or Bicep) across all Azure
  environments — eliminating manual provisioning and ensuring every resource is version-controlled,
  tagged, and auditable.
• Own Azure cloud operations: cost optimization, monitoring and alerting, SRE metrics, capacity
  planning, incident response runbooks, and scale reviews supporting the Microsoft Fabric and OneLake
  data platform.
• Administer and improve Microsoft Fabric, OneLake, and SharePoint Online environments: governance,
  access controls, and M365 ecosystem integration across 80+ SharePoint sites and multiple Fabric
  Lakehouses.

Security Operations & SIEM

• Design, deploy, and operationalize a SIEM platform (selection, connector integration, detection rule
  authoring, alert tuning, and SOAR pilot) — establishing the company’s first centralized security
  monitoring capability.
• Stand up and maintain the vulnerability management program: scanner deployment, baseline scanning,
  remediation sprints with SLAs, exception tracking, lightweight AppSec practices, cloud security posture
  reviews, and annual penetration test coordination.
• Manage ongoing security posture: firewall policy hygiene, network segmentation, patch/firmware
• Lifecycle, and continuous hardening across cloud and endpoint surfaces.

Identity & Access Management

• Build and execute the full IAM lifecycle in Entra ID: auth policies, MFA strengthening, PIM rollout,
  conditional access cleanup, SSO audit, passkey deployment, guest controls, and quarterly privileged
  access reviews.
• Administer identity and access integrations across Okta (where applicable), Microsoft Entra ID, and key
  SaaS applications — SSO/MFA troubleshooting, SCIM provisioning, and least-privilege enforcement.

Endpoint Management

• Deploy and harden Intune endpoint management across both Windows and Mac fleets: security
  baselines, application control, patch cadence automation, compliance policies, and DLP rollout across
  240+ endpoints.
• Maintain endpoint security posture: disk encryption enforcement, EDR/AV health, OS patching
  strategies, and remediation coordination.
• Standardize device provisioning and lifecycle: new hire setups, hardware staging, asset tracking, and
  end-of-life coordination.

Disaster Recovery & Business Continuity

• Design and implement the backup and DR architecture: backup review, DR design, immutable storage,
  SaaS backup coverage (M365, critical SaaS), restore testing, RTO tuning, and runbook documentation.
• Execute quarterly DR drills with measured RTO and maintain living runbooks that reflect current
  architecture.

Automation, AI & Reporting

• Operate as an AI-native practitioner — leveraging Claude AI and LLM tooling daily to accelerate IaC
  authoring, detection rule development, policy generation, runbook creation, log analysis, and
  automation scripting.
• Automate repeatable tasks using PowerShell, Python, and Bash; build self-service tooling and
  knowledge base materials that reduce Tier 1/2 escalation load.
• Produce clear, concise infrastructure and security status reporting for the IT Director, CTO, and
  executive stakeholders — covering risk posture, project progress, incident trends, and budget.

Required Competencies

• Deep, hands-on expertise across Azure cloud infrastructure — compute, networking, storage, Entra ID,
  Intune, Defender, and Sentinel or equivalent SIEM — with the ability to architect and implement at
  enterprise scale without a team.
• Hands-on experience with container orchestration (Kubernetes/AKS or Azure Container Apps), CI/CD
  platforms (GitHub Actions, Azure DevOps), and IaC (Terraform strongly preferred; Bicep/ARM
  acceptable) for both corporate and application hosting environments.
• Strong application-level observability skills — Datadog, Application Insights, Grafana — with the ability
  to instrument, monitor, and troubleshoot distributed systems serving web and mobile clients.
• AI fluency is a hard requirement: Demonstrated proficiency using LLMs and AI-assisted tooling
  (Claude, Copilot, or equivalent) to accelerate IaC authoring, security policy generation, detection rule
  development, runbook creation, and automation scripting.
• Command-level knowledge of modern security frameworks (NIST, CIS, zero-trust principles) and practical experience implementing identity governance, endpoint hardening, DLP, SIEM/SOAR, and vulnerability management programs.
• Proven ability to own and execute 4–6 concurrent technical workstreams independently — prioritizing ruthlessly and delivering production-grade results without dedicated project management support.
• Strong understanding of Microsoft Fabric, OneLake, and SharePoint Online administration, including data governance, access controls, and integration with the broader M365 ecosystem.
• Exceptional written and verbal communication skills, with the ability to translate complex infrastructure and security decisions into clear business-risk language for non-technical executives.
• Track record of building from zero — standing up programs, processes, and tooling in environments where none existed — rather than inheriting and maintaining mature infrastructure.

Preferred Qualifications

• Experience with SIEM/SOAR platforms (Microsoft Sentinel preferred; Splunk or equivalent acceptable)
  and detection engineering.
• Familiarity with Microsoft Fabric and OneLake in production data environments.
• Exposure to compliance/security frameworks (SOC 2–style controls) and evidence-driven operations.
• Experience supporting multi-tenant SaaS platforms — especially with data isolation, per-tenant
  observability, and secure deployment patterns.
• Mobile delivery experience (iOS/Android via CI/CD pipelines, app store deployments, MDM integration).
• Certifications (nice to have): AZ-104, AZ-500, SC-200 (Sentinel), Terraform Associate, CKA/CKAD,
  CISSP/CISM, Security+.

About the Hub Platform

The Hub is the company’s proprietary AI-powered Super App — a multi-tenant platform serving internal teams
and external clients across multiple industry verticals. It is the primary product of the engineering organization
and the infrastructure this role is responsible for hosting, deploying, and keeping operational.
Hub application suite

• Trainer — AI-powered training and enablement
• SalesIQ — sales intelligence and performance analytics
• Jarvis — internal AI assistant and agent capabilities
• Knowledge — organizational knowledge base and retrieval
• Momentum — performance and goal tracking
• Dashboards — executive and operational reporting
• Blueprints — process documentation and workflow tooling
• Capture — data capture and intake workflows

The Hub ships at high velocity across web and mobile, with active development of voice mode, telephony
integrations, and AI agent capabilities. The infrastructure owner of the Hub is expected to be a close partner
of the engineering team — not a gatekeeper.

A Note on Claude AI

This role is expected to actively use Claude (Anthropic’s AI) as a core part of the day-to-day workflow. We
provide access and encourage its use for:

• Writing and iterating on runbooks, SOPs, and technical documentation
• Drafting and reviewing IaC templates, scripts, and configuration snippets
• Log and alert analysis to accelerate incident triage
• Detection rule authoring and SIEM query development
• Summarizing CVEs, vendor docs, and change management notes
• Building knowledge base content and training materials for the support team

We view AI fluency as a professional skill. Engineers who leverage these tools well achieve dramatically
higher throughput, document more thoroughly, and spend more time on high-value architecture and security
work. This role is explicitly scoped with that assumption built in.

Additional Requirements

• Onsite role at the primary office; travel to Scottsdale and other locations as needed.
• Participation in an on-call rotation
• Ability to lift and handle IT equipment (APs, switches, firewalls, laptops) for deployments and desk
  setups.

COMMITMENT TO DIVERSITY

As an equal opportunity employer committed to meeting the needs of a multigenerational and multicultural workforce, Cardone Ventures recognizes that a diverse staff, reflective of our community, is an integral and welcome part of a successful and ethical business. We hire local talent at all levels regardless of race, color, religion, age, national origin, gender, gender identity, sexual orientation, or disability, and actively foster inclusion in all forms both within our company and across interactions with clients, candidates, and partners.

If this position caught your eye, send us your resume! For best consideration, include the job title and source where you found this position in the subject line of your email to careers@cardoneventures.com. Already a Cardone Ventures candidate? Please connect directly with your recruiter to discuss this opportunity.