Senior Compliance Engineer

The Corporate Assurance Team manages enterprise cybersecurity governance, risk, and compliance (GRC) by implementing and operationalizing global compliance frameworks across Anduril's corporate and product environments. The team serves as the bridge between regulatory requirements and engineering execution, ensuring that Anduril's rapidly evolving technology stack meets the highest standards of security and compliance.

The Compliance Engineer is a technically hands-on role responsible for driving automation, compliance, and security engineering principles into the design, integration, and operation of Anduril's internal systems. This individual will be instrumental in securing Anduril's software development process by translating complex compliance requirements into scalable, automated, and developer-friendly solutions.

The ideal candidate brings a strong DevSecOps background with deep expertise in cloud infrastructure security, embedded systems security, and federal compliance frameworks. They are equally comfortable writing Terraform modules as they are interpreting NIST controls, and they thrive at the intersection of security policy and engineering execution.

This is not a paperwork-driven compliance role. This is a builder's role. You will architect and automate compliance infrastructure that enables Anduril's engineering teams to deploy secure, compliant applications by default — removing bottlenecks rather than creating them.

WHY THIS ROLE MATTERS

At Anduril, compliance is not a checkbox — it is an engineering discipline. The Compliance Engineer plays a critical role in ensuring that Anduril can move fast without compromising the security and regulatory posture required to serve national defense missions. By building compliance into the foundation of our infrastructure, you will directly enable engineering teams to focus on what they do best: building transformative technology that protects those who protect us.

KEY RESPONSIBILITIES

Infrastructure & Automation

• Design, develop, and maintain Infrastructure as Code (IaC) and Policy as Code (PaC) that enforce compliance with NIST SP 800-171 and 800-53, CMMC, and other applicable frameworks, enabling developers to deploy CMMC-certified applications using pre-packaged, compliant infrastructure templates.
• Architect, build, and deploy robust, scalable security controls across Anduril's corporate, development, and production cloud environments (AWS, Azure, GCP) and on-premise environments.
• Develop and automate IaC pipelines for managing and scaling cloud deployments securely and efficiently, including automated pipelines for deploying infrastructure, applications, and updates.
• Build automation for procedural compliance controls, generating compliance and audit artifacts at scale without manual intervention.
• Develop security models that integrate Continuous Monitoring (ConMon), DISA STIG scanning, and compliance reporting into a unified, automated workflow.
• Ensure that compliance requirements for rapid, secure deployments translate into robust, repeatable tool chains.

Compliance Engineering & Framework Implementation

• Analyze, interpret, and operationalize federal and industry cybersecurity regulations, including NIST SP 800-171 and 800-53, CMMC, FedRAMP, and SOC 2, translating regulatory language into actionable engineering guidance and enforceable technical controls.
• Evaluate system architectures and configurations to ensure alignment with required security controls for moderate-impact information systems.
• Interface directly with infrastructure teams to verify and enforce compliance across existing on-premise and cloud stacks, identifying gaps and driving remediation.
• Collect, review, and where necessary modify system architecture to meet evolving compliance requirements, ensuring that security is embedded into the design phase rather than bolted on after the fact.
• Conduct compliance testing, studies, and assessments of Anduril's products and integrated components to uncover potential weaknesses and validate control effectiveness.
• Develop, update, and maintain cybersecurity policies, standards, procedures, and playbooks in coordination with the Information Security Team.
• Stay current on changes to federal and industry cybersecurity regulations and proactively communicate their impact to engineering and leadership teams.

Cross-Functional Collaboration & Enablement

• Partner with engineers, the DevSecOps Team, and the Automation Team to implement and verify security controls in both corporate and product software environments.
• Act as a force multiplier by embedding security best practices into the workflows of infrastructure, application, and product teams, particularly for environments holding mission-critical data.
• Support and expedite the new software onboarding process by evaluating the technical requirements of new software for CMMC compliance and guiding developers through the path to compliant deployment.
• Coordinate and deliver briefings to ensure Anduril's technical teams understand their compliance obligations, translating complex security concepts for diverse technical and non-technical audiences.
• Brief security architectures and approaches to program leadership, providing clear recommendations and risk-informed guidance.
• Work closely with Information Systems leadership, project managers, and stakeholders to integrate compliance requirements into active projects and update or modify compliant systems as organizational needs evolve.
• Collaborate with other principals and subject matter experts to ensure end-to-end automation across the compliance lifecycle.
• Act as SME for security and automation topics during internal reviews, audits, and cross-team planning sessions.

Strategic & Advisory

• Develop strategies and implementation plans for compliance-related matters, advising management on risk posture, regulatory changes, and investment priorities.
• Institute best-practice procedures for compliance and risk mitigation across the organization.
• Guide technical and operational decision-making towards future product offerings and efficient organizational processes.
• Ensure the company's ongoing technical compliance with all applicable laws, regulations, and contractual obligations.
• Produce clear documentation and reporting on compliance testing outcomes, process improvements, and emerging risks.

Education & Experience

• 3+ years of professional experience in Cloud Security, DevSecOps, Site Reliability Engineering (SRE), or a related security engineering role.
• Background in one or more of the following disciplines: Systems Security Engineering, Cybersecurity, Systems Engineering, Software Engineering, Computer Engineering, or Computer Science.
• Proven experience building and securing complex cloud environments at scale.
• 3+ years of hands-on experience working with compliance frameworks such as CMMC, NIST SP 800-171 and/or 800-53, and FedRAMP.
• Previous work on security engineering and architecture for defense/national security systems and/or complex embedded commercial systems is strongly preferred.
• Hands-on experience executing against recurring operational regulatory requirements (e.g., continuous monitoring, periodic assessments, audit cycles).

Technical Skills

• Deep proficiency in at least one major cloud provider (AWS, Azure, or GCP), with a strong understanding of cloud infrastructure and security concepts.
• Strong hands-on experience with Infrastructure as Code tools, particularly Terraform; experience with CloudFormation or Bicep is a plus.
• Demonstrated ability to build, deploy, and manage Terraform modules and infrastructure templates in production environments.
• Solid programming and scripting ability in one or more languages (e.g., Python, Go, Rust).
• Firm understanding of public cloud networking principles, including VPCs, subnets, routing, security groups, and network segmentation.
• Proficiency with core security concepts including encryption, authentication, identity and access management, and Zero-Trust Architecture (ZTA).
• Experience with continuous monitoring and security tooling such as Tenable, Splunk, Elasticsearch, or equivalent platforms.

Soft Skills & Competencies

• Ability to communicate compliance requirements clearly and effectively to engineering teams, development teams, and non-technical stakeholders.
• Strong understanding of the "why" behind product, systems, and security design decisions — not just the "what."
• Comfort working at the interface of compliance and infrastructure engineering, with the ability to context-switch between policy interpretation and hands-on technical work.
• Self-directed, with the ability to prioritize across multiple concurrent compliance and engineering initiatives.

Eligibility

• Must be eligible to obtain and maintain a U.S. Secret security clearance.

• Experience hardening and monitoring Kubernetes clusters (EKS, GKE, AKS).
• Experience with Cloud Security Posture Management (CSPM) or cloud-native threat detection tooling.
• Familiarity with CI/CD pipelines and experience securing the software supply chain.
• Experience with security assessment methodologies and vulnerability management programs.
• Relevant certifications such as AWS Solutions Architect, Certified Kubernetes Administrator (CKA), CISSP, CISM, or CompTIA Security+.
• Experience working in fast-paced, high-growth defense technology environments