Lead Security Engineer
Other Engineering
San Francisco, CA, USA
About Us
Alembic is the pioneering Causal AI platform. We help the world's largest enterprises move past correlation to prove what actually drives business outcomes — the question marketing and growth teams have never been able to answer with confidence. Fortune 100 companies including Nvidia, Delta Air Lines, and Mars use Alembic to make multimillion-dollar decisions on trusted, causal evidence.
We're backed by a $145M Series B from WndrCo (founded by Jeffrey Katzenberg), Jensen Huang, Joe Montana, Prysm Capital, and Accenture. Our models run on our own NVIDIA DGX SuperPOD built on Grace Blackwell infrastructure — one of the fastest private supercomputers in the world. (We've melted GPUs getting here.)
About the Role
We're looking for a lead-level Security Engineer and Architect to own system, network, and host security end-to-end for a rapidly growing on-prem, Kubernetes-based AI factory. This is a hands-on, high-impact role reporting directly to our CTO/CISO and working side-by-side with Technical Operations, Corp IT, Platform Engineering, and our scientific teams. It's not a compliance seat that exists to satisfy published controls — it's the chance to shape our security posture from the ground up, secure high-value client data, and build the team and tooling to do it.
Two things make this role distinctive. First, Alembic is "Default to Open" by design: security here must respect that maximum information sharing is basic to how we operate, while still protecting customer data and the IP — patents and trade secrets — our applied-science work generates. Balancing those is the core intellectual challenge of the job. Second, we're an AI-first company that uses many kinds of AI across everything we do; deciding which AIs operate in which containers is one of the more interesting problems you'll own.
What You'll Do
Design and implement security controls across all environments — network segmentation and firewalling, IDS/IPS, and traffic analysis on our on-prem Kubernetes platform.
Build and enforce host security: EDR, kernel telemetry, hardening, and baseline implementation across the fleet.
Own identity and access — AuthN/AuthZ, RBAC, and service identity — grounded in OIDC, SAML, and mTLS.
Stand up incident-detection pipelines (SIEM, metrics, endpoint telemetry) tuned to surface high-signal threats over noise, and lead incident response end to end: triage, containment, recovery, root-cause analysis, and forensics.
Keep the focus on enablement over restriction — effective security, not compliance for its own sake — while balancing IP protection, customer-data protection, and broad internal information sharing.
Partner with Legal and the CISO to obtain the compliance certifications we need and to answer customer questions about the security of our systems; hire and mentor as the security function grows.
What Will Help You Succeed
8+ years in security engineering, infrastructure, or related roles.
Strong Linux system security and networking (SSH certificates, directory-based authentication) and strong Kubernetes security (RBAC, tenant isolation, admission control).
Real experience securing on-prem environments, not only public cloud.
A proven track record leading real-world incidents, with familiarity with attacker techniques (lateral movement, persistence, exfiltration) and hands-on depth in EDR, IDS/IPS, and SIEM.
Strong command of OIDC, SAML, mTLS, and cryptography-based storage security.
Comfort writing code, automation, and tooling in Python or similar, plus configuration management via IaC (Terraform, Ansible).
The judgment to distinguish high-signal threats from noise, make pragmatic tradeoffs in a fast-moving company, and communicate effectively with technical stakeholders.
Nice to have: high-performance or distributed-compute experience (HPC, GPU clusters); identity-aware proxies or zero-trust architectures; offensive security (red teaming, exploit development); secure application development and secure-code training; responsible-disclosure/bug-bounty programs; AI controls, MCP security, agent security, and AI governance; and a background in corporate IT security.
The role is right for you if:
You want to shape a security posture from first principles rather than administer someone else's control framework — and you see "Default to Open" as a design constraint worth solving, not a threat to route around.
You'd rather be in the terminal doing root-cause analysis and building detection pipelines than managing them from a slide deck, and you want to build the team around you as scope grows.
Why You Might Be Excited About Alembic
Hard problems with real impact: You'll secure a one-of-a-kind on-prem AI factory and protect the high-value data behind multimillion-dollar decisions at Fortune 100 companies.
Technical autonomy: Direct access to the CTO/CISO and decision-makers, ownership over the security architecture, and the freedom to solve problems your way.
Cutting-edge environment: Secure our own NVIDIA DGX SuperPOD on Grace Blackwell — one of the fastest private supercomputers in the world — and take on genuinely novel work in AI, agent, and MCP security.
Elite team: Join top engineers and scientists who thrive on hard problems, and build the security team from a front-row seat in the culture.
Series B momentum, real ownership: Meaningful equity at a Series B company that's raised $145M, with proven product-market fit and Fortune 100 traction.
Why You Might Not Be Excited
You want a compliance-first role focused on satisfying published controls — this job is about effective security and enablement, and treats certifications as a byproduct, not the point.
You need a fully built-out program, tooling, and process to step into, rather than the mandate to define them.
You're uncomfortable with "Default to Open" — if your instinct is to lock everything down by default, the constant balance of IP protection, customer-data protection, and broad internal sharing will feel like friction rather than the interesting part.
You prefer static over dynamic — priorities and scope shift as we grow. We have real paying customers and a playbook, and we still move at startup speed at Series B scale.