Position Overview The Senior Solutions Architect is the senior technical authority responsible for the design, integration, automation, and operational success of AppGate's Zero Trust Network Access (ZTNA) platform across U.S. Federal and DoD environments. This role requires deep, hands-on engineering expertise, not abstract or presentation-level knowledge. The successful candidate must be capable of operating systems, writing and reviewing code, debugging live integrations, and troubleshooting failures at the protocol, OS, and application level. This is a role for practitioners who build, integrate, and operate secure access systems in real-world Federal environments.   Technical Depth Expectations (Applies to All Areas Below) For every domain listed, candidates are expected to demonstrate operational competence, including the ability to: - Configure and operate systems directly - Debug failures using logs, shell access, packet captures, and code inspection - Write and modify scripts or automation to solve real problems - Explain system behavior based on implementation, not abstraction - Design and Architect systems that align with customer requirements for Appgate ZTNA - Integrate Appgate ZTNA with other 3rd party systems and sources of trust or risk telemetry including Identity Providers (SAML, OIFC, RADIUS, LDAP(s)), NGFWs, Entitlement Automation systems, SIEM/SOAR, ITSM, and many others. - Detailed documentation and information hand-off skills are also required   This role requires engineers who actively operate systems, write scripts, debug APIs, and analyze packet captures. Candidates whose experience is limited to diagrams, presentations, or vendor marketing materials will not be successful.   Core Responsibilities & Required Expertise Linux Systems & Access Enforcement Platforms (Critical) - Serve as a technical authority for Linux-based Zero Trust enforcement infrastructure - Operate and manage systems via SSH, including secure key-based access and privilege separation - Demonstrate deep, hands-on knowledge of: - Bash scripting (required) - Process management and systemd - Filesystem layout, permissions, and logging - Strong understanding of Linux networking internals: - Routing tables and policy routing - Interface binding and traffic steering - iptables / nftables - Diagnose complex cross-platform issues where Linux enforcement points interact with Windows and macOS endpoints JavaScript & REST API Integration Engineering (Critical) - Develop and maintain JavaScript-based logic executed on Appgate appliances to enable integration and automation - Build and troubleshoot REST API integrations with external systems, including: - Microsoft Graph API - ServiceNow REST APIs - Identity, ITSM, logging, NGFW, and security platforms - Apply strong understanding of: - RESTful API design and consumption - JSON data models and schema validation - Authentication methods (OAuth, tokens, certificates) - Operate within an API-first, Security-as-Code/Everything-as-Code architecture Containers & Kubernetes Architecture - Architect Zero Trust access enforcement for containerized and microservices-based workloads - Support Kubernetes environments, including: - Sidecar injection and operator-based enforcement models - Secure service exposure and service-to-service access - Integration with Kubernetes networking (CNI), ingress, and egress controls - Ensure access models scale across on-premises and cloud-native environments Automation, Infrastructure as Code & Configuration as Code - Design and implement Infrastructure as Code (IaC) using Terraform - Implement Configuration as Code (CaC) and GitOps workflows for: - Appgate ZTNA Policies - Appgate ZTNA Entitlements - Integrations with 3rd party systems and Entitlement Engines - Integrate Zero Trust deployments into CI/CD pipelines aligned with Federal DevSecOps standards - Ensure all automation is: - Version-controlled - Repeatable - Auditable - API-driven Identity & Authentication Engineering (Critical) - Architect identity-centric access solutions using enterprise identity systems as the authoritative control plane - Deep hands-on expertise with: - Active Directory, including multi-domain and multi-forest environments - Domain Controllers and LDAP/LDAPS binding behavior - Kerberos authentication flows and ticket lifecycles - SAML - OIDC - RADIUS - Design and troubleshoot DNS architecture and resolution behavior across: - Windows endpoints - macOS endpoints - Linux enforcement platforms - Support authentication mechanisms including: - Machine certificate–based authentication on Windows - PKI trust chains, certificate lifecycle, and revocation - SAML and OIDC user authentication via external Identity Providers - Understand how identity, DNS, and routing failures manifest as access control issues Modern Cloud & Infrastructure Excellence ·       Virtualization: Architect-level knowledge of VMware, ESXi, and KVM for private cloud deployments ·       Public Cloud: Demonstrate architect-level design and implementation of security services within AWS (GovCloud), Azure (Government), and Google Cloud Platform (GCP), with a specific focus on native networking (VPCs, VNets, Transit Gateways) and IAM policy enforcement. ·       AI/ML Security: Forward-thinking experience in governing access to AI/LLM workloads and agent platforms. (Desired) Endpoint Scripting & Client-Side Automation - Design and troubleshoot endpoint-executed scripts used for posture checks, integrations, and access decisions - PowerShell (Required): - Windows endpoint scripting - Interaction with certificates, networking, registry, and system services - Bash (Required): - macOS and Linux client scripting - System interrogation, diagnostics, and process control - Ensure scripts are secure, deterministic, and compatible with Federal endpoint hardening requirements Networking, Transport & Cryptographic Protocol Expertise - Architect-level understanding of: - IP packet structure and routing behavior - TCP three-way handshake and session lifecycle - ARP, GARP, and Proxy ARP functionality - Deep knowledge of: - TLS 1.2 / TLS 1.3 and QUIC - Mutual TLS (mTLS) - Certificate validation and trust chains - Familiarity with: - VPN architectures and tunneling models - Differences between VPN and identity-centric ZTNA - MPLS and SDWAN Architectures and traffic flows - Demonstrate Architect level knowledge and experience designing, articulating, and implementing complex Network integrations and Cybersecurity solitons - Architect level familiarity with network security solutions such as firewalls/next generation firewalls, network access control and VPNs, Logging / SYSLOG integration, IT Operations, IT Security Operations, SDWAN, WAN, and other Layer3/4 Network technology - Denied, Disrupted, Intermittent, and Limited (DDIL) environmental chalanges - Single Packet Authorization or port knocking familiarity desired - Expertise with Zero Trust Network and Univeral ZTNA concepts and Software Defined Perimeter desirable - Diagnose failures using: - tcpdump - Wireshark - OS-level packet tracing STIG, SCAP & Compliance Engineering - Support STIG compliance for Linux-based platforms - Working knowledge of SCAP, including: - OpenSCAP tooling - Interpreting scan output and false positives - Mapping findings to mitigations - Support RMF and ATO efforts through technical evidence and explanation - Communicate effectively with ISSMs, ISSEs, and assessors Interoperability & Federal Integration - Architect interoperability between Appgate and adjacent Federal systems: - Identity platforms - Endpoint security tools - SIEM, SOAR, and ITSM platforms - Network and boundary security systems - Enable Appgate to operate as a composable Zero Trust control within multi-vendor Federal architectures - Support integrators and partners implementing joint solutions Senior Technical Leadership - Serve as final escalation point for the most complex Federal deployments - Lead deep technical architecture reviews with government and integrator teams - Mentor senior Solution Architects and engineers - Influence product direction related to automation, integration, and operability Required Qualifications & Experience - 12+ years in networking, security, systems, platform, or automation engineering roles - Demonstrated mastery of: - Bash - PowerShell - JavaScript - Linux systems administration - REST APIs and automation - Strong experience with identity systems (Active Directory, DNS, PKI, SAML/OIDC) - Experience supporting Federal or other high-assurance environments - Ability to obtain or maintain a U.S. security clearance - Ability to work extended hours / flextime as needed to meet customer needs / deadlines / escalations  - There are times when this role requires more than 40 hours a week   - Travel Requirements:  - Flexibility and ability to travel to meet project and customer needs  - Travel requirements will vary depending on project and for some projects can exceed 50%  Appgate is An Equal Opportunity/Affirmative Action Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status, age or any other federally protected class. In furtherance of Appgate's policy regarding affirmative action and equal employment opportunity, Appgate has developed a written affirmative action program. This program is available for review upon request by any applicant or employee during normal business hours by contacting the company's EEO Coordinator.