Role Description
We are hiring a Senior Network Engineer to help design, implement, and operate the company’s next-generation secure network architecture. The Senior Network Engineer will own critical workstreams across:
-
SASE/ZTNA
-
NAC
-
IPSec connectivity
-
Network segmentation
-
Cloud network integration
-
Egress controls
-
Firewall policy
-
Telemetry forwarding
The ideal candidate has strong hands-on experience securing hybrid environments that span corporate networks, cloud platforms, remote users, physical sites, and sensitive workloads.
This role is well suited for an engineer who can operate at both the design and implementation levels: designing secure patterns, building them, validating them, documenting them, and supporting their transition into steady-state operations.
Key Responsibilities
-
Secure Network Architecture and Zero Trust Access:
-
Design and implement secure network patterns that enforce identity, device posture, segmentation, logging, and policy-based access across users, sites, workloads, and administrative paths.
-
Implement and support SASE/ZTNA capabilities, including Cloudflare Government or comparable platforms, WARP/client access, private application access, gateway policies, DNS controls, and secure administrative access paths.
-
Help eliminate direct public administrative access to workloads by routing privileged access through approved identity-aware and policy-enforced access layers.
-
Develop network designs that support the principle that no workload, management interface, or privileged access path bypasses identity, policy, segmentation, and telemetry controls.
-
NAC and Physical Site Segmentation:
-
Lead the design and rollout of Network Access Control for office, edge, and remote site environments.
-
Implement or support 802.1X, RADIUS policy, device certificates, VLAN segmentation, and port-level admission control.
-
Segment remote site networks into appropriate zones, such as telemetry, management, vendor/service, and out-of-band management networks.
-
Assess switch, firewall, router, and edge-device readiness for NAC, IPSec, logging, and configuration baseline enforcement.
-
Remote Site and Edge Connectivity:
-
Design secure remote site connectivity using IPSec/private tunnels, certificate-based authentication, route controls, firewall policies, and deterministic telemetry paths.
-
Ensure edge and radar-site environments have no unnecessary public management exposure.
-
Implement firewall forwarding, tunnel telemetry, configuration backup, drift detection, and site-level logging into centralized monitoring and SIEM platforms.
-
Partner with Security, Cloud Engineering, SRE, and other Engineering teams to build detection and response use cases for tunnel anomalies, exposed management paths, unexpected peers, route changes, failed rekeys, and suspicious traffic patterns.
-
Cloud Network Integration:
-
Design and support cloud network connectivity patterns across multiple cloud hosts and restricted workload zones.
-
Implement or support hub-and-spoke architectures, transit gateways, vWAN, private endpoints, DNS resolver patterns, egress inspection, firewall policy, and workload security-group guardrails.
-
Partner with Cloud Engineering to define baseline network guardrails for landing zones, including deny-public-admin policies, centralized egress, private admin paths, flow logging, routing standards, and tagging requirements.
-
Support cloud network segmentation for Corporate IT, restricted workloads, and other uses.
-
Telemetry, Logging, and SOC Enablement:
-
Ensure network logs are consistently forwarded into centralized telemetry and SOC platforms.
-
Support data-source onboarding for firewall logs, VPN/IPSec logs, SASE logs, NAC events, DNS logs, VPC/NSG flow logs, and remote site device logs.
-
Collaborate with the Head of IT and Security team to create network-focused detection content, response workflows, evidence artifacts, and runbooks.
-
Help validate detection coverage through test events, tabletop exercises, port scans, tunnel checks, and configuration drift reviews.
-
Operations, Documentation, and Compliance Support:
-
Create and maintain network diagrams, firewall rule documentation, routing designs, NAC policies, tunnel inventories, access paths, and operational runbooks.
-
Support compliance evidence generation for government compliance, control areas related to access control, audit logging, communications protection, configuration management, and incident response.
-
Participate in change control, architecture decision records, incident response, and post-implementation reviews.
-
Work closely with Security, Cloud Engineering, SRE, IT Support, and other Engineering teams to ensure clean operational handoff.
Qualifications
-
Must be eligible to obtain and maintain a U.S. personnel security clearance.
-
5+ years of hands-on network engineering experience in enterprise, hybrid cloud, regulated, or security-focused environments.
-
Strong experience with routing, switching, firewalling, VPNs, segmentation, DNS, NAT, TLS, certificates, and secure network design.
-
Hands-on experience with firewall policy management, IPSec tunnels, site-to-site VPNs, route control, and secure edge connectivity.
-
Experience implementing or operating NAC technologies, including 802.1X, RADIUS, VLAN assignment, device profiling, or certificate-based access.
-
Experience supporting remote-access or Zero Trust access platforms such as Cloudflare, Zscaler, Palo Alto Prisma Access, Cisco Secure Access, or similar.
-
Experience integrating network logs into SIEM or monitoring platforms.
-
Working knowledge of cloud networking concepts in AWS and/or Azure, including VPCs/VNets, routing, security groups, NACLs, private endpoints, flow logs, transit gateways, vWAN, or cloud firewalls.
-
Ability to write clear technical documentation, diagrams, implementation plans, runbooks, and operational procedures.
-
Strong troubleshooting skills across network, identity, endpoint, cloud, and application access layers.
Preferred Qualifications
-
Experience with Cloudflare Government, Cloudflare Zero Trust, WARP, Gateway, Access, or Magic WAN.
-
Experience supporting CUI, ITAR, NIST 800-171, CMMC, FedRAMP, or other regulated environments.
-
Experience with Microsoft Sentinel, Wiz, Dropzone AI, Splunk, Elastic, QRadar, or other SIEM/SOC platforms.
-
Experience with infrastructure-as-code or policy-as-code tooling such as Terraform, CloudFormation, Bicep, Ansible, GitHub Actions, GitLab CI, or Azure DevOps.
-
Experience building detection logic or response workflows for network anomalies, exposed admin services, tunnel failures, vendor access abuse, or cloud network drift.
-
Experience with vendor-access segmentation, just-in-time access, privileged access management, and session logging.
Benefits
-
Global workforce: flexible remote/hybrid opportunities
-
Work on complex, meaningful missions with real-world impact
-
Unlimited paid time off for most roles
-
Competitive salary and equity packages
-
Comprehensive health, dental, and vision coverage
-
Access to the forefront of commercial space operations and defense innovation