The Senior DevSecOps Architect is responsible for building and operating the security architecture that enables PennEngineering's engineering teams to ship code safely at high velocity. This is a hands-on leadership role: part architect, part builder, part platform engineer. You will own the security posture of our global AWS cloud environment and customer-facing platforms, automate the guardrails that protect organizational assets, and ensure that our CI/CD pipelines enforce security by design, without creating friction that slows our teams down.

As PennEngineering's AI application portfolio grows, including AI-powered workflows, agentic systems, and customer-facing digital platforms, this role will play a critical part in establishing the security architecture and governance frameworks that allow those systems to operate reliably, safely, and at enterprise scale.

Key Responsibilities

Cloud Security Posture & Remediation

• Continuously assess, harden, and elevate the security posture of PennEngineering's AWS cloud infrastructure, covering both customer-facing platforms and internal enterprise systems
• Design and build custom security tools, frameworks, and policies tailored to protect PennEngineering's internal and external organizational assets
• Own the end-to-end vulnerability management lifecycle, including triage, tracking, prioritization, and automated remediation of identified vulnerabilities and cloud misconfigurations
• Establish a continuous posture improvement program with defined baselines, remediation SLAs, and executive-level reporting on security health

Pipeline Security & CI/CD Integration

• Architect and implement automated security scanning (SAST, SCA, and DAST), embedded directly into CI/CD pipelines, ensuring checks are high-fidelity and low-latency to support our daily deployment cadence
• Configure pre-commit hooks, pull request checks, and branch protection rules that automatically detect and block secrets, misconfigurations, or vulnerable dependencies before they reach production
• Partner with AI engineering teams to secure AI/LLM workloads within the pipeline, including prompt injection protections, model input/output validation, and agentic system guardrails
• Establish security gate standards and developer-friendly documentation so engineering teams understand what is enforced, why, and how to resolve failures quickly

Automated Governance & Policy-as-Code

• Replace manual security audits with automated policy enforcement using infrastructure-as-code tools (Terraform, AWS Config), ensuring non-compliant infrastructure cannot be provisioned
• Build event-driven automation to detect and auto-remediate common security issues in near real-time, reducing mean time to respond across the environment
• Define and maintain security governance standards, including access controls, secrets management, encryption policies, and data classification frameworks
• Establish audit-ready documentation and evidence collection practices to support internal compliance reviews and external assessments

Cloud Operations & Threat Response

• Maintain the operational security health of PennEngineering's AWS environment, using automation to manage scaling events, configuration drift, and self-healing infrastructure
• Operationalize CrowdStrike and Zscaler telemetry by automating the correlation of security alerts to reduce noise and trigger rapid, automated response workflows
• Define and own security incident response playbooks; lead root-cause analysis and post-incident reviews to drive systemic improvements
• Collaborate with IS, infrastructure, and AI engineering teams to ensure threat response practices are integrated across the full technology stack

Security Architecture for AI & Emerging Platforms

• Define the security architecture for PennEngineering's AI-powered application portfolio, including data access controls, model governance, prompt safety, and auditability for agentic systems
• Evaluate and advise on security posture for new platforms, tools, and third-party integrations as the technology portfolio evolves
• Partner with the Principal Systems Architect and AI engineering teams to embed security requirements into solution designs from the earliest stages
• Stay current on emerging threats relevant to AI systems, cloud-native architectures, and manufacturing/industrial environments, and translate findings into actionable architectural guidance

Key KPIs

• Vulnerability remediation SLA compliance: % of identified vulnerabilities resolved within defined timeframes by severity tier
• Pipeline security gate effectiveness: % of CI/CD pipelines with automated security scanning enabled; false-positive rate maintained below threshold to avoid developer friction
• Mean time to detect and respond (MTTD / MTTR) for security incidents across the cloud environment
• Policy-as-code coverage: % of infrastructure provisioned through automated, policy-enforced pipelines vs. manual processes
• Cloud security posture score: continuous improvement trend against defined baseline using AWS Security Hub or equivalent
• AI workload security coverage: % of AI-powered applications and agentic systems operating under defined security architecture standards

What does success look like?

Success in this role means PennEngineering's engineering teams ship code at high velocity with confidence, knowing that automated security guardrails are working in the background, not slowing them down. Security findings are caught earlier in the development cycle, remediated faster, and tracked with full visibility. Our AWS environment maintains a continuously improving posture, and our AI-powered platforms operate under clear, auditable security architecture.

The Senior DevSecOps Architect is successful when security is a competitive enabler for PennEngineering's Speed of Now transformation, not a constraint on it. You are proactive, automation-first, and deeply collaborative. You build relationships with engineering and product teams by making security easy to do correctly, and you bring the same data-driven discipline to security operations that our engineering teams bring to delivery.

Required Qualifications

• 8+ years of experience in cloud security, DevSecOps, or security engineering, with at least 3 years in an architect-level role
• Deep expertise in AWS cloud architecture and security services, including IAM, Security Hub, GuardDuty, Config, KMS, VPC design, and CloudTrail
• Proven experience integrating automated security tooling (SAST, SCA, DAST) into modern CI/CD pipelines without degrading deployment velocity
• Hands-on experience with infrastructure-as-code and policy-as-code approaches using Terraform or AWS CDK
• Strong scripting and automation skills in Python, Go, or Bash, with the ability to build custom security tools and integrate systems programmatically
• Experience securing containerized workloads including Docker, Kubernetes, and ECS/EKS deployments
• Practical knowledge of vulnerability management, threat modeling, incident response, and security operations in a cloud-native environment
• Demonstrated ability to work as a trusted partner to engineering and product teams, designing security that accelerates rather than blocks delivery
• Excellent communication skills, including the ability to translate technical security risks into business terms for senior leadership
• Bachelor's degree in Computer Science, Information Security, Engineering, or a related technical field

Preferred Qualifications

• Experience defining security architecture for AI/LLM-powered systems, including prompt injection protections, model access controls, output validation, and auditability requirements for agentic applications
• Hands-on experience operationalizing CrowdStrike and Zscaler in an enterprise environment
• Familiarity with Model Context Protocol (MCP) and emerging security considerations for tool-use in agentic AI systems
• Experience in manufacturing, industrial, or complex B2B technology environments
• Relevant certifications: AWS Security Specialty, CISSP, CCSP, or equivalent
• Experience contributing to or leading security programs in support of SOC 2, ISO 27001, or similar compliance frameworks
• Background working in a global organization with multi-region cloud deployments