Cloud Security Engineer
About the role
This team is part of Pega’s Cloud Cybersecurity organization within the Cloud Cybersecurity Operations tribe. We help build and operate the security controls, automation, and response capabilities that protect Pega's cloud environments, including FedRamp-regulated government infrastructure, commercial AWS, and multi-cloud platforms. We work across IAM, vulnerability management, compliance automation, SOAR response actions, and AI-driven security tooling. Engineers on this team own their domains end-to-end: design, build, operate, and iterate.
Responsibilities
- Access Governance & Identity Operations (30%): Own Okta administration for PCFG and Commercial environments: MFA resets, account provisioning, Okta Verify troubleshooting, policy enforcement
- Manage IAM roles, permission boundaries, deployment entitlements, and access reviews across PCFG accounts (CloudOps, Jenkins, deployment pipelines)
- Build and maintain entitlement automation workflows for joiner/mover/leaver processes
- Support SailPoint quarterly certifications and access request workflows; contribute to AI-assisted certification automation
- Vulnerability Scanning & Remediation (25%): Operate Nessus/Tenable and Netsparker scanning across PCFG RnD and PCFG Prod
- Respond to audit scan requests (UKCE, SOC, FedRAMP assessors) with findings and evidence
- Track and ensure zero high-severity findings outstanding beyond 30 days
- Compliance Patching & BAU (25%): Execute FedRAMP Control Plane patching cycle every sprint — mandatory compliance obligation, non-negotiable
- Execute PCFG RnD OS automated patching and validate Commercial environment patches (SailPoint, PingCastle)
- Maintain patch compliance metrics; escalate blockers before sprint close
- Contribute to SSM Patch Manager automation to reduce manual patching overhead over time
- Cloud Infrastructure & Automation Engineering (20%): Build infrastructure automation: Control Tower account provisioning, PCFG account lifecycle, CloudFormation role deployment
- Develop SSM Patch Manager alerting and role infrastructure
- Contribute to team-wide AI-driven remediation features — SOAR response actions, AWS Config automation, and AI intake tooling
Qualifications
- 3+ years in cloud security engineering or a closely adjacent role; hands-on with AWS (IAM, CloudFormation, SSM, Inspector, Config, GuardDuty)
- Experience operating in a FedRAMP or similarly regulated environment, you understand what compliance-driven delivery looks like
- Proficient with identity platforms: Okta administration, SailPoint or equivalent IGA tooling
- Comfortable writing automation: Python, shell, CloudFormation/Terraform, you don't wait for someone else to build the script
- Familiar with vulnerability scanning tools (Nessus/Tenable, Netsparker, or AWS Inspector)
- You operate well in a team that splits time between BAU obligations and feature delivery, context-switching is part of the job
- Exposure to SOAR platforms (Chronicle SecOps, Siemplify, or similar) is a plus
- Experience with GitHub-based CI/CD pipelines, you're comfortable with PR-gated workflows, GitHub Actions, and treating infrastructure and security content as code that gets reviewed before it ships
- You use AI tools (Copilot, ChatGPT, or similar) as part of how you build, scaffolding automation, generating test cases, accelerating repetitive engineering work and you know how to validate what comes out
Pay
Base salary range for this role is 86,700 - 129,600 USD annually. This role may also be eligible for annual bonus OR commission, as well as benefits and other incentives. The final compensation will be determined during the offer process based on the candidate's education, experience, skills, and qualifications, as well as market conditions and may vary from the posted range.