The Netskope Engineer owns the design, administration, and optimization of the organization's Netskope One Security Service Edge (SSE) platform. This hands-on engineering role spans CASB, Next Gen Secure Web Gateway, and Data Loss Prevention - and, where deployed, ZTNA (Netskope Private Access), Cloud Firewall, RBI, and DNS Security - covering policy creation, traffic steering, client deployment, SaaS controls, SSL/TLS inspection, alert triage, reporting, and integrations with identity, endpoint, network, SIEM, SOAR, and ITSM platforms.
Location: San Francisco Bay Area Preferred, will consider RemoteKey Responsibilities- Netskope Platform Engineering and Administration
- Administer the Netskope tenant, including role-based access, configuration standards, policy objects, security profiles, dashboards, alerts, and reporting.
- Engineer, test, deploy, and tune Real-time Protection policies for web, SaaS, cloud, and data protection use cases.
- Configure and support traffic steering methods such as Netskope Client, PAC/proxy methods, GRE/IPsec tunnels, and enterprise forwarding patterns as applicable.
- Deploy, upgrade, and troubleshoot Netskope Client across Windows, macOS, and mobile endpoints in partnership with endpoint and device management teams.
- Maintain certificate trust, SSL/TLS inspection configuration, steering exceptions, bypass rules, and user notification workflows.
- Analyze SkopeIT events, policy hits, audit logs, alerts, and user activity to identify misconfigurations, risky behavior, and opportunities for policy improvement.
- Create and maintain engineering documentation, implementation plans, standard operating procedures, runbooks, change records, and support handoff materials.
- CASB Engineering
- Implement inline and API-enabled CASB controls for sanctioned SaaS applications such as Microsoft 365, Google Workspace, Box, ServiceNow, GitHub, and other business platforms.
- Build policies using Netskope context such as user, group, app, instance, activity, device posture, location, app risk, file type, threat level, and data sensitivity.
- Identify and manage Shadow IT and risky cloud application usage; define controls for allowed, blocked, coached, or monitored applications.
- Support corporate-versus-personal instance controls to prevent data movement into unauthorized cloud tenants or personal storage locations.
- Configure SaaS API protection use cases for data-at-rest scanning, public sharing detection, malware detection, sensitive data exposure, and remediation workflows.
- Deploy SaaS Security Posture Management (SSPM) to detect and remediate SaaS misconfigurations, enforce best-practice baselines, and prevent compliance drift across sanctioned tenants.
- Partner with application owners and security stakeholders to translate SaaS business requirements into enforceable Netskope policies.
- Secure Web Gateway Engineering
- Design and maintain SWG policies for internet access, URL categories, web reputation, file downloads, uploads, risky destinations, and acceptable use requirements.
- Configure custom categories, URL allow/block lists, block pages, coaching prompts, user justification workflows, and exception handling.
- Tune SSL/TLS decryption policies to balance security inspection, privacy requirements, performance, and business application compatibility.
- Support protection against malware, phishing, suspicious downloads, command-and-control traffic, and risky browser-based activity, including Remote Browser Isolation (RBI) for uncategorized or high-risk destinations.
- Troubleshoot web access, browser, certificate, proxy, DNS, routing, authentication, latency, and policy enforcement issues with network and help desk teams.
- DLP Engineering
- Design, test, tune, and maintain Netskope DLP profiles, rules, data identifiers, dictionaries, classifiers, document fingerprinting, exact data match, and file-type controls where applicable.
- Create DLP policies to protect PII, PHI, PCI, credentials, source code, legal documents, financial data, intellectual property, regulated data, and confidential business information.
- Apply DLP controls to uploads, downloads, sharing, posting, collaboration tools, cloud storage, generative AI prompts and apps, and SaaS data-at-rest inspection.
- Define policy actions such as alert, block, coach, justify, quarantine, restrict sharing, encrypt, or route to incident workflows.
- Tune false positives and false negatives through test plans, incident reviews, business feedback, exception processes, and recurring policy optimization.
- Integrate with data classification or labeling platforms such as Microsoft Purview Information Protection when required.
- Security Operations, Integrations, and Reporting
- Monitor Netskope alerts and events for data exfiltration, policy violations, malware, phishing, suspicious SaaS activity, and risky user behavior.
- Leverage Netskope behavior analytics (UEBA), risk scoring, and the Cloud Confidence Index (CCI) to surface anomalous activity, compromised accounts, insider risk, and high-risk applications.
- Integrate Netskope logs, alerts, and workflows with SIEM, SOAR, ITSM, EDR, identity, and ticketing platforms.
- Support incident response investigations by correlating Netskope activity with identity, endpoint, email, network, and cloud telemetry.
- Develop operational metrics and reports for cloud risk, blocked threats, DLP activity, policy effectiveness, application usage, and executive visibility.
- Evaluate new Netskope capabilities and recommend improvements to strengthen SSE/SASE architecture, user experience, and data protection.
Required Qualifications- 5 years of experience in security or network engineering, including hands-on experience with Netskope or a comparable SSE/SASE platform (e.g., Zscaler, Palo Alto Prisma Access).
- 5 years of experience administering or engineering Netskope in an enterprise environment, including tenant configuration, policy management, troubleshooting, and operational support.
- 5 years of experience building and tuning Netskope policies for cloud applications, web traffic, file activity, user activity, threats, and sensitive data controls.
- 5 years of experience with traffic steering, proxy architecture, Netskope Client behavior, PAC files, GRE/IPsec tunnels, certificates, routing, DNS, and SSL/TLS inspection.
- 5 years of experience with identity integrations such as Microsoft Entra ID, Okta, Ping, Active Directory, SAML, SCIM, LDAP, user groups, and conditional access concepts.
- 5 years of experience reviewing security logs, SkopeIT events, alerts, dashboards, reports, and SIEM data to support investigations and operational decisions.
- Bachelor's degree in Computer Science, Information Security, or a related field, or 7 years of equivalent practical experience.
Preferred Qualifications- Netskope certification or accreditation (e.g., Netskope Administrator, Professional, or SSE Accreditation), formal Netskope training, or equivalent production engineering experience.
- Experience with Netskope Private Access (ZTNA), Remote Browser Isolation, Cloud Firewall, DNS Security, SSPM, DSPM, CSPM/public cloud security, SkopeAI/genAI controls, or Cloud Exchange.
- Experience integrating Netskope with Splunk, Microsoft Sentinel, QRadar, ServiceNow, Jira, SOAR platforms, or custom REST API workflows.
- Strong understanding of CASB, SWG, DLP, SSE/SASE, Zero Trust, secure internet access, SaaS security, and cloud application risk concepts.
- Experience with endpoint deployment and support across Windows, macOS, and mobile platforms using MDM/UEM tools or enterprise software distribution methods.
- Working knowledge of HTTP/HTTPS, TLS, web proxies, browsers, authentication flows, SaaS platforms, APIs, and common enterprise network patterns.
- Experience designing or supporting DLP controls, sensitive data classification, incident review, exception handling, and policy tuning.
- Ability to troubleshoot complex issues across Netskope, endpoint, network, identity, browser, SaaS, and cloud environments.
- Experience securing Microsoft 365, Google Workspace, Box, Salesforce, ServiceNow, Slack, GitHub, Workday, AWS, Azure, or Google Cloud environments.
- Familiarity with Microsoft Purview, sensitivity labels, information protection, enterprise data governance, or records management programs.
- Scripting or automation experience using Python, PowerShell, REST APIs, JSON, or infrastructure/security automation tools.
- Knowledge of regulatory and security frameworks such as NIST, ISO 27001, PCI DSS, HIPAA, SOX, GLBA, GDPR, or CCPA/CPRA.
- Broader security or networking certifications such as CISSP, CCNP Security, or Microsoft SC-200
- Strong documentation and communication skills, including the ability to explain technical controls to security, infrastructure, compliance, legal, and business stakeholders.
Actual salary will depend on factors such as skills, qualifications, experience, market and work location. The client offers benefits, including health, dental and vision insurance, 401(k), flexible spending account, and paid leave (including PTO and parental leave) in accordance with our applicable plans and policies. The salary for this position in San Francisco Bay Area is $160,000 - $180,000 USD.
