Cloud Security Engineer
Opendoor
Other Engineering
RESEARCH & DEVELOPMENT
Cloud Security Engineer
About the Role (Hybrid 4 days onsite, 1 remote)
At Opendoor our goal is to build the biggest, most trusted housing platform and set a new
standard for how people move. We've combined our deep, proprietary data and operational
expertise with the power of artificial intelligence to make online home selling and buying
radically simple.
Our Security Engineering team is building intelligent systems that protect Opendoor and our
customers while enabling unprecedented engineering velocity. We apply software engineering
and AI to solve security problems across product, infrastructure, and operations by building
guardrails where they matter, not gates where they don't.
As our Cloud Security Engineer, you'll own the security of the infrastructure that runs Opendoor
— multi-account AWS, EKS, the IAM and identity plane connecting Okta to every system, and
the cloud workloads that handle home acquisition, resale, mortgage, title, and escrow. You'll
inherit a recently-completed EKS migration, an in-progress CSPM/CNAPP replacement, and a
zero-trust roadmap waiting for a technical owner.
What You'll Do
● Own the security architecture of our AWS estate — across multiple accounts, EKS
clusters, Terraform-managed infrastructure, and the IAM plane that ties everything
together.
● Manage and optimize our CNAPP and CSPM cloud security tooling, ensuring platforms
are effectively integrated into engineering workflows to drive the automated remediation
of infrastructure risks.
● Modernize our secure access strategy by deploying Zero Trust principles—integrating
device trust and identity-aware proxies—to provide seamless, least-privileged access to
internal infrastructure.
● Harden our EKS environment — RBAC, admission policies, workload identity, runtime
protection, image signing, and base-image strategy on top of our Bottlerocket +
Karpenter foundation.
● Build new agentic detection-and-response workflows using Lambda + AWS-native
primitives that close the loop from alert to investigation to remediation.
● Drive a 'Shift-Left' cloud security strategy within our pipelines using Terraform/Terrakube,
GitHub Actions, ECR — so that misconfigurations get caught at PR time, not in a CSPM
dashboard a week later.
● Partner with the Infrastructure team on cloud-native security decisions: VPC architecture,
ingress, secrets management (Vault), service identity, and how Okta extends into AWS,
Azure, and GCP.
● Run our cloud detection engineering: GuardDuty, Security Hub, CloudTrail, VPC flow
logs — tuned for signal, integrated with Datadog and our incident response playbooks.
● Support cloud security for our subsidiaries (OS National, Mainstay Title) including Azure
+ Windows AD environments, with adversarial review of the systems that touch wire
fraud risk.
● Set the bar for what "secure by default" looks like for AI-maximalist engineering —
vibe-coded apps, MCP servers, and agent-driven workflows that touch production cloud
infrastructure.
● Mentor engineers across Security, Infra, and Product Eng on cloud security patterns, and
turn the patterns you see into automated guardrails so the next team doesn't make the
same mistake.
Tech Stack
● Cloud: AWS, Azure, GCP
● Containers / Orchestration: EKS, Bottlerocket, Karpenter, Helm, Argo CD
● IaC: Terraform, Terrakube (self-hosted)
● Identity & Access: Okta, Duo, AWS Identity Center, Okta-OIDC for EKS, Platform SSO
(macOS), Hashicorp Vault
● Cloud Security: GuardDuty, Security Hub, CloudTrail, GitHub Advanced Security;
CSPM/CNAPP replacement in flight (Wiz, Datadog Cloud Security, CrowdStrike Falcon
Cloud Security under eval)
● Detection / Observability: Datadog (security + observability), Cribl, CloudTrail, S3 archive
● Languages: Go, Python, TypeScript, Ruby, HCL
● AI Tooling: Claude, OpenAI, Claude Code, Runlayer MCP, custom agent frameworks —
used heavily for alert triage, IaC review, and remediation drafting
What You'll Need
● Deep conviction that AI and automation should eliminate manual work humans shouldn't
be doing anyway. You're excited to replace ticket toil and manual cloud config review
with automated systems, IaC guardrails, and agents.
● Business enablement security mindset — you measure success by business impact and
informed risk-taking, not by tickets opened or compliance checklists completed.
● 5+ years of cloud or infrastructure security experience, with deep AWS expertise (Azure
and GCP a plus). You can read a CloudTrail event, write a service control policy, and
explain why a particular IAM trust policy is dangerous, in the same conversation.
● Strong skills in at least one of Go, Python, or TypeScript, with the ability to read and write
Terraform and shell. You are a builder.
● Hands-on Kubernetes security experience — RBAC, network policies, admission control,
workload identity, image and supply-chain security. EKS specifically is a plus.
● Experience deploying and operating CSPM, CNAPP, or CWPP tooling (Wiz, Prisma,
Orca, Datadog, CrowdStrike Falcon Cloud, Lacework, or equivalent) — and a point of
view on what good looks like vs. what's noise.
● Identity-first security mindset — IAM, OIDC, SAML, federation, secrets management —
and the ability to design least-privilege access at scale.
● Humility and genuine curiosity — you're as excited to learn from product and infra
engineers and enable their work as you are to write detections or design guardrails.
Bonus Points For
● Experience designing or operating Zero Trust Network Access (Cloudflare Access,
Tailscale, Twingate, Google BeyondCorp, etc.).
● Detection engineering background — writing detections that actually fire on real attacker
behavior without burying the team in noise.
● Experience securing AI/ML pipelines, agent frameworks, or MCP-style integrations that
touch production data.
● Familiarity with SOC 2, SOX, or other compliance frameworks in cloud environments —
and an instinct for when compliance work creates real security value vs. when it doesn't.
● Open-source contributions to cloud security tooling (Cartography, Prowler, ScoutSuite,
Falco, Kyverno/OPA, Checkov, etc.).
Compensation
We also offer a comprehensive package of benefits including unlimited PTO,
medical/dental/vision insurance, life insurance, and 401(k) to eligible employees.
#LI-RO
About Opendoor
At Opendoor our mission is to tilt the world in favor of homeowners and those who aim to become one. Homeownership matters. It's how people build wealth, stability, and community. It's how families put down roots, how neighborhoods strengthen, how the future gets built. We're building the modern system of homeownership giving people the freedom to buy and sell on their own terms. We’ve built an end-to-end online experience that has already helped thousands of people and we’re just getting started.
Ready to apply?
You’ll be redirected to our application portal to submit your resume and answer a few questions.
Apply for this role