Platform Security Engineer

We are looking for a Platform Security Engineer to join our Platform team and own the technical security of our live infrastructure end-to-end. You will set the hardening baseline, lead vulnerability and penetration testing, drive disaster recovery readiness, and translate regulatory requirements into technical controls that hold up under audit. This is a hands-on, high-ownership role with direct impact on how securely we operate and grow.

Key Responsibilities:

Define and maintain security hardening baselines for Azure tenants, codify security guardrails for the Avarda Azure tenant including: landing zones, secure-by-design patterns, networks segmentation, security policy. Vulnerability scan for public products domains.

Define and maintain on-prem security hardening baselines: Server hardening, network segmentation and integration with Azure, identity security baselines, and produce compliance reports.

Lead pen/penetration testing technically: scope tests, triage findings, drive remediation, and report on progress.

Own the vulnerability management end-to-end: tooling, integration, prioritization, remediation tracking, reporting.

Own response to security alerts and incidents raised by supplier (like TRUESEC, BaffinBay), Microsoft Defender, and other detection sources — triage, lead remediation across infrastructure, and close the loop with the SOC and CISO function. Collaborate with supplier to evaluate and improve monitoring, alerting, and protection capabilities across security platforms.

Own the continuous security improvement backlog for our infra. — drive Azure Secure Score uplift, drive on-prem infra. Security improvement.

Drive Disaster Recovery technical readiness: draft, test, and maintain DR plans alongside system owners and CISO function.

Drive DevSecOps initiatives across CI/CD and software supply chain security, including security scanning, dependency/vulnerability detection, secrets management, and pipeline hardening. Serve as a security partner for developers and promote secure engineering practices.

Compliance technical execution at infrastructure level: ISO 27001 / NIST CSF mapping, technical evidence and responses for internal and external audits.

Technical risk assessments for new infrastructure tooling, significant architectural changes, and vendor onboarding that touches infrastructure.

Qualifications and Experience:

5+ years in infrastructure security, platform security engineering, or security architecture roles spanning both cloud and on-prem environments.

Deep, current Azure security expertise — Defender for Cloud, Microsoft Sentinel, Azure Policy, Entra ID, PIM, etc.

On-prem infrastructure security: Server hardening, network segmentation, certificate management.

Vulnerability management at scale: tooling, prioritization frameworks, working with system owners to close findings.

Penetration test coordination: scoping, technical triage, remediation tracking. Hands-on with continuous testing platforms (Pentera or similar) appreciated.

Disaster recovery: drafting plans, running tests, working with system owners.

Compliance fluency: hands-on experience mapping ISO 27001 or NIST controls to technical infrastructure implementations and supporting external audits.

DevSecOps fluency: shift-left scanning, secrets management, policy as code.

Threat modelling at architecture level (STRIDE or equivalent, applied in practice).

Comfortable communicating with engineers, risk and compliance teams, and external auditors.

Builds rather than gatekeeps — ships secure tooling other engineers want to use, rather than policy documents they ignore.

Comfortable with multiple stakeholders.

Pragmatic over perfect — accepts that security wins by being adopted, not by being theoretically ideal.

English — professional working proficiency in writing and speaking (required).

Bachelor's degree in Computer Science, Software Engineering, or a related technical field.