Cloud Security Engineer

About Opendoor

At Opendoor our mission is to tilt the world in favor of homeowners and those who aim to become one. Homeownership matters. It's how people build wealth stability and community. It's how families put down roots how neighborhoods strengthen how the future gets built. We're building the modern system of homeownership giving people the freedom to buy and sell on their own terms. We’ve built an end-to-end online experience that has already helped thousands of people and we’re just getting started.

About the Role (Hybrid 4 days onsite 1 remote)

At Opendoor our goal is to build the biggest most trusted housing platform and set a new

standard for how people move. We've combined our deep proprietary data and operational

expertise with the power of artificial intelligence to make online home selling and buying

radically simple.

Our Security Engineering team is building intelligent systems that protect Opendoor and our

customers while enabling unprecedented engineering velocity. We apply software engineering

and AI to solve security problems across product infrastructure and operations by building

guardrails where they matter not gates where they don't.

As our Cloud Security Engineer you'll own the security of the infrastructure that runs Opendoor

— multi-account AWS EKS the IAM and identity plane connecting Okta to every system and

the cloud workloads that handle home acquisition resale mortgage title and escrow. You'll

inherit a recently-completed EKS migration an in-progress CSPM/CNAPP replacement and a

zero-trust roadmap waiting for a technical owner.

What You'll Do

● Own the security architecture of our AWS estate — across multiple accounts EKS

clusters Terraform-managed infrastructure and the IAM plane that ties everything

together.

● Manage and optimize our CNAPP and CSPM cloud security tooling ensuring platforms

are effectively integrated into engineering workflows to drive the automated remediation

of infrastructure risks.

● Modernize our secure access strategy by deploying Zero Trust principles—integrating

device trust and identity-aware proxies—to provide seamless least-privileged access to

internal infrastructure.

● Harden our EKS environment — RBAC admission policies workload identity runtime

protection image signing and base-image strategy on top of our Bottlerocket +

Karpenter foundation.

● Build new agentic detection-and-response workflows using Lambda + AWS-native

primitives that close the loop from alert to investigation to remediation.

● Drive a 'Shift-Left' cloud security strategy within our pipelines using Terraform/Terrakube

GitHub Actions ECR — so that misconfigurations get caught at PR time not in a CSPM

dashboard a week later.

● Partner with the Infrastructure team on cloud-native security decisions: VPC architecture

ingress secrets management (Vault) service identity and how Okta extends into AWS

Azure and GCP.

● Run our cloud detection engineering: GuardDuty Security Hub CloudTrail VPC flow

logs — tuned for signal integrated with Datadog and our incident response playbooks.

● Support cloud security for our subsidiaries (OS National Mainstay Title) including Azure

+ Windows AD environments with adversarial review of the systems that touch wire

fraud risk.

● Set the bar for what "secure by default" looks like for AI-maximalist engineering —

vibe-coded apps MCP servers and agent-driven workflows that touch production cloud

infrastructure.

● Mentor engineers across Security Infra and Product Eng on cloud security patterns and

turn the patterns you see into automated guardrails so the next team doesn't make the

same mistake.

Tech Stack

● Cloud: AWS Azure GCP

● Containers / Orchestration: EKS Bottlerocket Karpenter Helm Argo CD

● IaC: Terraform Terrakube (self-hosted)

● Identity & Access: Okta Duo AWS Identity Center Okta-OIDC for EKS Platform SSO

(macOS) Hashicorp Vault

● Cloud Security: GuardDuty Security Hub CloudTrail GitHub Advanced Security;

CSPM/CNAPP replacement in flight (Wiz Datadog Cloud Security CrowdStrike Falcon

Cloud Security under eval)

● Detection / Observability: Datadog (security + observability) Cribl CloudTrail S3 archive

● Languages: Go Python TypeScript Ruby HCL

● AI Tooling: Claude OpenAI Claude Code Runlayer MCP custom agent frameworks —

used heavily for alert triage IaC review and remediation drafting

What You'll Need

● Deep conviction that AI and automation should eliminate manual work humans shouldn't

be doing anyway. You're excited to replace ticket toil and manual cloud config review

with automated systems IaC guardrails and agents.

● Business enablement security mindset — you measure success by business impact and

informed risk-taking not by tickets opened or compliance checklists completed.

● 5+ years of cloud or infrastructure security experience with deep AWS expertise (Azure

and GCP a plus). You can read a CloudTrail event write a service control policy and

explain why a particular IAM trust policy is dangerous in the same conversation.

● Strong skills in at least one of Go Python or TypeScript with the ability to read and write

Terraform and shell. You are a builder.

● Hands-on Kubernetes security experience — RBAC network policies admission control

workload identity image and supply-chain security. EKS specifically is a plus.

● Experience deploying and operating CSPM CNAPP or CWPP tooling (Wiz Prisma

Orca Datadog CrowdStrike Falcon Cloud Lacework or equivalent) — and a point of

view on what good looks like vs. what's noise.

● Identity-first security mindset — IAM OIDC SAML federation secrets management —

and the ability to design least-privilege access at scale.

● Humility and genuine curiosity — you're as excited to learn from product and infra

engineers and enable their work as you are to write detections or design guardrails.

Bonus Points For

● Experience designing or operating Zero Trust Network Access (Cloudflare Access

Tailscale Twingate Google BeyondCorp etc.).

● Detection engineering background — writing detections that actually fire on real attacker

behavior without burying the team in noise.

● Experience securing AI/ML pipelines agent frameworks or MCP-style integrations that

touch production data.

● Familiarity with SOC 2 SOX or other compliance frameworks in cloud environments —

and an instinct for when compliance work creates real security value vs. when it doesn't.

● Open-source contributions to cloud security tooling (Cartography Prowler ScoutSuite

Falco Kyverno/OPA Checkov etc.).

Compensation

We also offer a comprehensive package of benefits including unlimited PTO

medical/dental/vision insurance life insurance and 401(k) to eligible employees.

#LI-RO

What We Do

Founded in 2014 Opendoor’s mission is to empower everyone with the freedom to move. We believe the traditional real estate process is broken and confusing. It often comes with unexpected costs the added burden of coordinating multiple third parties and the uncertainty of a transaction falling through. Our goal is simple: build a digital end-to-end customer experience that makes buying and selling a home simple certain and fast. We have assembled a dedicated team with diverse backgrounds and talents across engineering operations design operations mortgage finance legal and more to deliver strong results. More than 85000 customers have selected us as a trusted partner in handling one of their largest financial transactions.

Why Work With Us

We’re on a mission to power life’s progress one move at a time

Gallery