Role Description We are hiring a Cybersecurity Engineer to support customer deployments in classified environments, ensuring Istari’s platform operates securely, compliantly, and reliably in real-world mission systems. This role sits within Customer Success and focuses on hands-on system and infrastructure security—not just documentation or policy. Depending on your background, you may lean more toward: - System hardening (Windows/Linux) - Secure network infrastructure (classified environments) In this role, YOU will be the difference between a platform that looks secure on paper, and one that actually works inside real classified mission environments. What You'll Do - Deploy and secure Istari’s platform in: - SIPR, JWICS, and air-gapped environments - Implement and validate: - DISA STIGs - NIST 800-53 / 800-171 controls - Perform hands-on security work, including: - System hardening (Windows & Linux) - Vulnerability scanning (ACAS/Nessus) - STIG validation and remediation - POA&M management - Design, configure, or support secure network architectures, including: - Segmentation, boundary defense, and routing in classified environments - Troubleshoot and resolve: - Security configuration issues - Connectivity and compliance blockers - Work directly with: - Customer security teams (ISSO, ISSM, AO, SCA) - Program and infrastructure teams - Provide feedback to engineering on: - Real-world deployment constraints - Security gaps and improvements Qualifications - Active TS clearance with SCI eligibility - Security+ (required) — CISSP, CISM, or CASP+ preferred - 4+ years of hands-on experience in cybersecurity, system administration, or network engineering - Direct experience with: - NIST 800-53 / 800-171 - DISA STIGs - Experience operating in: - Classified environments (SIPR, JWICS, SAP) Requirements - Experience Profile A: System Hardening (System Administration) - Strong experience securing Windows and/or Linux systems - Hands-on System Patching, STIG implementation and validation - Experience running scans, remediating findings, and managing POA&Ms - Experience Profile B: Secure Infrastructure (Network Engineering) - Experience designing or supporting secure network architectures in classified environments - Knowledge of network segmentation, boundary defense, and secure connectivity - Familiarity with STIGs for network devices and infrastructure Benefits - $116,000 - $174,000 a year (may be additionally eligible for stipend, one-time incentive, or % differential for clearance)

Ever since we started in 2007, Sunrun has been at the forefront of connecting people to the cleanest energy on Earth. It’s why we’ve become the #1 home solar and battery company in America. Today, we’re on a mission to change the way the world interacts with energy, and we’re building a company and brand that puts power at the center of life. And we’re doing it by designing a dynamic culture where employee development, well-being, and safety come first. We’re unlike any other solar company. Our vertically integrated model gives us total control over every part of the energy lifecycle – from sale through installation and beyond – so you can find endless opportunities for growth. Come join a career you can grow in and a culture you can run with. This position is primarily remote, with occasional visits to a local office or our corporate headquarters for team-building, training, and collaborative project work. These on-site sessions are designed to strengthen connections, share insights, and ensure a seamless experience for our team and customers. Equipment pick-up from a local branch will be required. We will provide advance notice whenever on-site attendance is required, making these times purposeful and rewarding. Position Overview: The Application Security Engineer at Sunrun plays a pivotal role in protecting the applications that power our business. This position requires expertise across identity systems, and software development lifecycle. You will be responsible for driving the identification, assessment, and mitigation of security risks from the initial design phase through deployment and beyond. You will collaborate closely with developers and IT teams to integrate robust security practices, implement advanced protective measures for both applications and identities, and foster a comprehensive culture of security across the organization. Key Responsibilities - Threat Modeling & Security Design: Assess potential attack vectors and design defense-in-depth strategies that address gaps across infrastructure, 1st and 3rd party applications, and identity management. - Secure Software Development Life Cycle (SSDLC): Partner with application development teams to integrate security into every stage of the development lifecycle. Champion secure coding standards, conduct security code reviews, and provide expert guidance to minimize vulnerabilities before production. - Identity & Access Management (IAM): Design, implement, and manage identity security solutions across 1st and 3rd party applications. Showcase hands-on experience in implementing strategies like Zero Trust architecture and modern authentication standards like WebAuthn. - Implement & Manage Security Controls: Design, implement, and fine-tune application security controls like SAST/DAST vulnerability scanning andand standardizing secure coding practices. Establish and improve operational processes to ensure their continued effectiveness. - Guidance, Training & Compliance: Develop and maintain security policies and standards for both application and identity security. Provide ongoing training to developers to elevate secure coding practices. - Stakeholder Collaboration: Use strong critical thinking and communication skills to present complex technical concepts to business stakeholders, gain alignment, and independently drive security initiatives forward. Qualifications - 7+ years of combined experience in application security and identity & access management (IAM), with a proven track record of supporting application development teams. - Deep knowledge of application security principles, secure coding practices, common vulnerabilities (e.g., OWASP Top 10), and zero-trust architecture. - Hands-on experience with security testing tools (SAST, DAST), Web Application Firewalls (WAF), and IAM platforms (e.g., Okta, AWS IAM). - Proficiency in programming languages such as Java, Python, or JavaScript. - Strong familiarity with cloud environments (AWS, GCP) and their native security and identity controls. - Demonstrated expertise in threat modeling and designing defense-in-depth strategies for complex applications. - Solid understanding of modern identity standards and technologies, including MFA, SSO, and WebAuthn. - Excellent communication and collaboration skills, with the ability to articulate technical findings and security risks to diverse audiences. - Strong critical thinking and creative problem-solving skills, with the ability to analyze systems from an attacker's perspective and devise effective countermeasures. Preferred Qualifications - Experience with Okta and Salesforce security principles and best practices. - Certifications (preferred): Certified Information Systems Security Professional (CISSP), Certified Application Security Engineer (CASE), or similar credentials. Recruiter: Kristina Sedjo (kristina.sedjo@sunrun.com) Please note that the compensation information is made in good faith for this position only. It assumes that the successful candidate will be located in markets within the United States that warrant the compensation. Please speak with your recruiter to learn more. Starting salary/wage for this opportunity: 154,799.31 to 185,759.18 Compensation decisions will not be based on a candidate's salary history. You can learn more here. This job description outlines the primary responsibilities, some essential job functions, and qualifications for the role. It may not include all essential functions, tasks, or requirements. If you are a qualified individual with a disability and you need reasonable accommodation during the hiring process or to perform this role, please contact us at candidateaccommodations@sunrun.com. Sunrun is proud to be an equal opportunity employer that does not tolerate discrimination or harassment of any kind. We believe that empowering people and valuing their differences are essential for our mission of connecting people to the cleanest energy on earth. Learn more here: EEO | Sunrun

• Designing, implementing, and operating identity and authorization platforms used across internal and external services • Defining and evolving authentication and authorization patterns based on OAuth 2.0, OpenID Connect, and token-based security • Supporting and improving API security using API Gateway technologies, preferably Kong, including authentication flows, rate limiting, and policy enforcement • Collaborating with engineering teams to securely integrate identity solutions into APIs and services • Building and maintaining infrastructure using Infrastructure as Code (Terraform) • Operating and securing Kubernetes-based workloads and identity-related services • Contributing to cloud architecture decisions with a strong focus on security, resilience, and scalability • Partnering with DevOps and SRE teams to improve observability, incident response, and operational excellence • Participating in security reviews, threat modeling, and architecture design discussions • Defining best practices, documentation, and reference architectures for identity and access management • Continuously learning and staying current with modern identity, cloud security, and platform engineering practices

• Design and implement SAP Identity Authentication Service (IAS) and Identity Provisioning Service (IPS) architectures • Integrate SAP BTP with corporate IdPs (Azure AD, Entra ID, AD, LDAP, SAML, OAuth2, OpenID Connect) • Configure Single Sign-On (SSO), MFA, Conditional Access, and Trust configurations • Manage user lifecycle, role mapping, and automated provisioning/de-provisioning across SAP systems Security & Compliance • Implement and govern SAP Cloud Identity Services (CIS) best practices • Define security standards for BTP applications, APIs, AI services, and integrations • Support compliance requirements (ISO 27001, GDPR, SOC, internal security policies) • Conduct security reviews, risk assessments, and audits for SAP BTP landscapes BTP & AI Enablement • Secure AI-enabled SAP services (e.g., SAP AI Core, AI Launchpad, Joule, custom AI apps on BTP) • Ensure secure access to APIs, data, and AI models using OAuth2, XSUAA, and service bindings • Collaborate with SAP architects, AI teams, and developers to embed security by design Operations & Governance • Monitor and troubleshoot authentication, provisioning, and authorization issues • Establish identity governance, access reviews, and logging/monitoring strategies • Create security documentation, standards, and operational runbooks