Principal Infrastructure Security Engineer
Job Summary
The Principal Infrastructure Security Engineer at Upstart will define and drive the technical strategy for securing Upstart's production infrastructure and developer platforms. This role requires a minimum of 8+ years of experience in security engineering, infrastructure engineering, software engineering, or a related technical role, with a focus on infrastructure, cloud, platform, or production security.
Responsibilities
Define and drive Upstart’s infrastructure security strategy, aligning secure-by-default principles with business priorities, regulatory expectations, and Upstart’s cloud-native engineering roadmap.
Own the security roadmap for cloud, platform, compute, and deployment environments, partnering with infrastructure, platform, SRE, and product engineering leaders to reduce risk across multiple organizations.
Lead security architecture reviews for critical infrastructure initiatives, influencing technical decisions in areas such as cloud IAM, Kubernetes and container security, network controls, secrets management, infrastructure-as-code, production vulnerability management, and AI-assisted developer workflows.
Identify and reduce systemic infrastructure security risks by designing durable preventative controls, guardrails, and automation that improve security outcomes across engineering teams.
Establish standards and patterns for production access, service identity, workload trust, infrastructure hardening, vulnerability management, and secure operational practices.
Partner with engineering teams to improve the security of AI-assisted developer workflows and GenAI-enabled systems, including agentic tooling, coding assistants, and internal AI integrations that interact with production or sensitive environments.
Serve as a senior technical authority during high-severity security or production incidents, driving root cause analysis, risk-based prioritization, and long-term architectural improvements.
Elevate infrastructure security maturity across Upstart by mentoring engineers, influencing senior stakeholders through clear risk communication, and helping teams build secure systems with less friction.
Requirements
Minimum requirements:
- 8+ years of experience in security engineering, infrastructure engineering, software engineering, or a related technical role.
- 4+ years of experience focused on infrastructure, cloud, platform, or production security.
- Experience securing cloud-native infrastructure in AWS or a similar cloud environment.
- Experience with multiple infrastructure security domains, such as cloud IAM, Kubernetes or container security, network security, secrets management, infrastructure-as-code, CI/CD security, production access, or vulnerability management.
- Experience writing code or automation in Python, Go, Java, Ruby, or a similar programming language.
- Experience leading security architecture reviews or technical risk assessments for complex production systems.
- Experience designing and implementing preventative security controls, guardrails, or platform-level security solutions used by multiple engineering teams.
- Experience leading cross-functional security initiatives with infrastructure, platform, SRE, product engineering, risk, compliance, or audit stakeholders.
Preferred qualifications:
- 10+ years of experience spanning security engineering, infrastructure engineering, software engineering, or cloud platform engineering.
- Experience owning a security roadmap for a technical domain that spans multiple teams or organizations.
- Experience with Kubernetes security, service-to-service trust models, workload identity, runtime security, or cloud-native network controls.
- Experience improving cloud security posture management, hardening baselines, drift detection, or infrastructure vulnerability management programs.
- Experience building or scaling infrastructure security programs, including defining metrics, maturity models, and risk-based prioritization frameworks.
- Familiarity with security considerations for AI-assisted engineering workflows, including code generation, code review tooling, agentic automation, and sensitive data exposure risks.
- Experience partnering with Legal, Risk, Compliance, or Audit teams to operationalize security controls in a regulated environment.
- Security certifications such as AWS Security Specialty, GCP Professional Cloud Security Engineer, CISSP, CCSP, or equivalent practical expertise.
Qualifications
Education:
- A bachelor’s degree in Computer Science, Information Systems, or a related field.
Technical Skills:
- Strong understanding of cloud security concepts, including AWS, Azure, or Google Cloud Platform.
- Experience with security tools and technologies such as AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector, AWS Security Hub, AWS GuardDuty, AWS WAF, AWS Config, AWS Secrets Manager, AWS KMS, AWS IAM, AWS CloudTrail, AWS CloudFormation, AWS Lambda, AWS API Gateway, AWS EventBridge, AWS AppSync, AWS Step Functions, AWS X-Ray, AWS Trusted Advisor, AWS Inspector