Senior Infrastructure Security Engineer - (Runtime, Kernel & Sandbox Security)
About the role
We’re partnered with an A16z backed Series A company building the execution layer for AI systems that run untrusted code at massive scale.
Every day, billions of AI agents execute inside highly isolated environments where performance, correctness, and security cannot trade off. This role is for a security engineer who thinks in kernels, syscalls, and isolation boundaries.
You’ll own the security of our execution infrastructure, working directly with Linux primitives, microVMs, and runtime controls to harden one of the most security-sensitive AI platforms in production today.
What you’ll do
Own runtime & kernel-level security
• Design and implement defense-in-depth isolation using Linux security primitives (seccomp, namespaces, cgroups, eBPF).
• Build and harden microVM infrastructure for executing untrusted workloads safely at scale.
• Implement kernel-adjacent controls to reduce attack surface while preserving sub-200ms execution guarantees.
• Reason deeply about syscall surfaces, privilege boundaries, and escape vectors.
Secure distributed execution at scale
• Protect tens of thousands of concurrent sandboxes running customer workloads.
• Implement real-time threat detection across high-throughput execution paths.
• Design security systems that work under extreme concurrency, burst traffic, and adversarial inputs.
• Balance isolation, observability, and performance.
Production security engineering
• Build security controls that are measurable, testable, and enforced in production.
• Partner closely with infra, platform, and core engineering teams — security ships as code.
• Investigate and remediate security incidents with root-cause rigor.
• Continuously evolve the platform’s threat model as usage patterns and attacker sophistication change.
Enterprise & compliance readiness
• Own security controls that support SOC 2, ISO 27001, and GDPR requirements.
• Translate compliance requirements into real technical controls, not checklists.
• Support enterprise security reviews with deep technical credibility.
What we’re looking for
• 5+ years securing production infrastructure at scale.
• Deep, hands-on experience with Linux internals and security primitives:
• seccomp
• namespaces
• cgroups
• eBPF
• Strong understanding of container and sandbox escape vectors and mitigation strategies.
• Experience securing distributed systems under real-world load.
• Comfort working close to the kernel.
Tech stack
• Languages: Go, Rust, C, TypeScript
• Systems: Linux, containers, microVMs
• Security: seccomp, eBPF, namespaces, container hardening
• Scale: High-throughput, low-latency distributed systems
Why this role matters
Security is existential to this platform. A single isolation failure compromises customer trust, enterprise adoption, and the entire execution model.
You won’t be bolting security on after the fact .... you’ll be designing the security boundary itself.
