Cloud Security Engineer

About Opendoor

At Opendoor our mission is to tilt the world in favor of homeowners and those who aim to become one. Homeownership matters. It's how people build wealth, stability, and community. It's how families put down roots, how neighborhoods strengthen, how the future gets built. We're building the modern system of homeownership giving people the freedom to buy and sell on their own terms. We’ve built an end-to-end online experience that has already helped thousands of people and we’re just getting started.

About the Role (Hybrid 4 days onsite, 1 remote)

At Opendoor our goal is to build the biggest, most trusted housing platform and set a new

standard for how people move. We've combined our deep, proprietary data and operational

expertise with the power of artificial intelligence to make online home selling and buying

radically simple.

Our Security Engineering team is building intelligent systems that protect Opendoor and our

customers while enabling unprecedented engineering velocity. We apply software engineering

and AI to solve security problems across product, infrastructure, and operations by building

guardrails where they matter, not gates where they don't.

As our Cloud Security Engineer, you'll own the security of the infrastructure that runs Opendoor

— multi-account AWS, EKS, the IAM and identity plane connecting Okta to every system, and

the cloud workloads that handle home acquisition, resale, mortgage, title, and escrow. You'll

inherit a recently-completed EKS migration, an in-progress CSPM/CNAPP replacement, and a

zero-trust roadmap waiting for a technical owner.

What You'll Do

● Own the security architecture of our AWS estate — across multiple accounts, EKS

clusters, Terraform-managed infrastructure, and the IAM plane that ties everything

together.

● Manage and optimize our CNAPP and CSPM cloud security tooling, ensuring platforms

are effectively integrated into engineering workflows to drive the automated remediation

of infrastructure risks.

● Modernize our secure access strategy by deploying Zero Trust principles—integrating

device trust and identity-aware proxies—to provide seamless, least-privileged access to

internal infrastructure.

● Harden our EKS environment — RBAC, admission policies, workload identity, runtime

protection, image signing, and base-image strategy on top of our Bottlerocket +

Karpenter foundation.

● Build new agentic detection-and-response workflows using Lambda + AWS-native

primitives that close the loop from alert to investigation to remediation.

● Drive a 'Shift-Left' cloud security strategy within our pipelines using Terraform/Terrakube,

GitHub Actions, ECR — so that misconfigurations get caught at PR time, not in a CSPM

dashboard a week later.

● Partner with the Infrastructure team on cloud-native security decisions: VPC architecture,

ingress, secrets management (Vault), service identity, and how Okta extends into AWS,

Azure, and GCP.

● Run our cloud detection engineering: GuardDuty, Security Hub, CloudTrail, VPC flow

logs — tuned for signal, integrated with Datadog and our incident response playbooks.

● Support cloud security for our subsidiaries (OS National, Mainstay Title) including Azure

+ Windows AD environments, with adversarial review of the systems that touch wire

fraud risk.

● Set the bar for what "secure by default" looks like for AI-maximalist engineering —

vibe-coded apps, MCP servers, and agent-driven workflows that touch production cloud

infrastructure.

● Mentor engineers across Security, Infra, and Product Eng on cloud security patterns, and

turn the patterns you see into automated guardrails so the next team doesn't make the

same mistake.

Tech Stack

● Cloud: AWS, Azure, GCP

● Containers / Orchestration: EKS, Bottlerocket, Karpenter, Helm, Argo CD

● IaC: Terraform, Terrakube (self-hosted)

● Identity & Access: Okta, Duo, AWS Identity Center, Okta-OIDC for EKS, Platform SSO

(macOS), Hashicorp Vault

● Cloud Security: GuardDuty, Security Hub, CloudTrail, GitHub Advanced Security;

CSPM/CNAPP replacement in flight (Wiz, Datadog Cloud Security, CrowdStrike Falcon

Cloud Security under eval)

● Detection / Observability: Datadog (security + observability), Cribl, CloudTrail, S3 archive

● Languages: Go, Python, TypeScript, Ruby, HCL

● AI Tooling: Claude, OpenAI, Claude Code, Runlayer MCP, custom agent frameworks —

used heavily for alert triage, IaC review, and remediation drafting

What You'll Need

● Deep conviction that AI and automation should eliminate manual work humans shouldn't

be doing anyway. You're excited to replace ticket toil and manual cloud config review

with automated systems, IaC guardrails, and agents.

● Business enablement security mindset — you measure success by business impact and

informed risk-taking, not by tickets opened or compliance checklists completed.

● 5+ years of cloud or infrastructure security experience, with deep AWS expertise (Azure

and GCP a plus). You can read a CloudTrail event, write a service control policy, and

explain why a particular IAM trust policy is dangerous, in the same conversation.

● Strong skills in at least one of Go, Python, or TypeScript, with the ability to read and write

Terraform and shell. You are a builder.

● Hands-on Kubernetes security experience — RBAC, network policies, admission control,

workload identity, image and supply-chain security. EKS specifically is a plus.

● Experience deploying and operating CSPM, CNAPP, or CWPP tooling (Wiz, Prisma,

Orca, Datadog, CrowdStrike Falcon Cloud, Lacework, or equivalent) — and a point of

view on what good looks like vs. what's noise.

● Identity-first security mindset — IAM, OIDC, SAML, federation, secrets management —

and the ability to design least-privilege access at scale.

● Humility and genuine curiosity — you're as excited to learn from product and infra

engineers and enable their work as you are to write detections or design guardrails.

Bonus Points For

● Experience designing or operating Zero Trust Network Access (Cloudflare Access,

Tailscale, Twingate, Google BeyondCorp, etc.).

● Detection engineering background — writing detections that actually fire on real attacker

behavior without burying the team in noise.

● Experience securing AI/ML pipelines, agent frameworks, or MCP-style integrations that

touch production data.

● Familiarity with SOC 2, SOX, or other compliance frameworks in cloud environments —

and an instinct for when compliance work creates real security value vs. when it doesn't.

● Open-source contributions to cloud security tooling (Cartography, Prowler, ScoutSuite,

Falco, Kyverno/OPA, Checkov, etc.).

Compensation

We also offer a comprehensive package of benefits including unlimited PTO,

medical/dental/vision insurance, life insurance, and 401(k) to eligible employees.

#LI-RO