Infrastructure and Security Engineer

Full-time · Hybrid

Firmable is the market-leading B2B sales-intelligence platform in Australia & New Zealand — and we're now scaling that success worldwide at speed. Backed by leading investors, we help businesses outperform by understanding more about their leads, customers and candidates than ever before.

We're building a team of curious, collaborative builders who thrive in fast-moving start-ups. This is your chance to
embed security, reliability and compliance into everything we ship
— not bolt it on later, but set the playbook for how a modern data and AI platform runs safely at scale.

As our first dedicated
DevSecOps engineer
, you'll partner with product and engineering to design guardrails, elastic and scalable infrastructure, automate controls and prove resilience. From secure CI/CD and hardened cloud infrastructure to auditable data flows and incident response, you'll take us from "works" to "provably safe and reliable".

What you'll do

Infrastructure & Cloud Security

• Design, harden and run core services across
  AWS and GCP
• Standardise multi-account/projects, VPC design, private networking, KMS, IAM and org policies
• Implement autoscaling patterns (ECS/EKS/GKE, Elastic DBs, Cloud Run) and infrastructure right-sizing
• Secure and operate critical external services (Supabase, Clerk, Stripe, Upstash/Redis)
• Enforce least-privilege service-to-service access with short-lived credentials and key rotation
• Design for multi-region operation with failover, replication and data residency controls

DevSecOps Pipeline & Automation

• Shift-left security controls:
  SAST, SCA, secret scanning, licence checks, container image scanning and signing
• Build secure CI/CD pipelines with gated production deploys (DAST, change tickets, approvals)
• Infrastructure as Code:
  Terraform/Pulumi for AWS/GCP with policy-as-code (OPA/Conftest) and drift detection
• Create golden modules, reusable pipelines and paved-road templates
• Operate continuous vulnerability scans across images, hosts and dependencies; manage remediation SLAs
• Coordinate penetration testing and track security findings to closure

Compliance & Risk Management

• Codify controls
  aligned to ISO 27001, SOC 2, GDPR and CCPA (change management, access reviews, backups, logging, DR)
• Prepare and support external audits and customer due diligence; close findings with evidence
• Implement data retention/deletion workflows and privacy by design
• Access controls:
  Zero-trust IAM, scoped roles, just-in-time elevation and periodic access reviews
• Build auditable data flows and webhook hardening (idempotency, signature validation, replay defence)

Platform Reliability & Incident Response

• Define
  SLOs for critical user journeys
  ; alert on error-budget burn and automate remediation
• Unified observability:
  OpenTelemetry + CloudWatch/Cloud Logging + OpenSearch + Pydantic Logfire with audit-grade trails
• Backup and disaster recovery:
  Define RTO/RPO per system; automate backups, cross-region snapshots and verified restores
• Run quarterly DR drills and failover tests; fix gaps you find
• Incident response:
  Severity model, on-call rotation, communications templates and post-mortems with action tracking
• Cost optimisation through budgets, right-sizing, savings plans and lifecycle policies

What you bring

Core Technical Skills

Must have

• 5–8+ years across DevOps/platform/security in cloud, with depth in AWS and working knowledge of GCP
• Strong Terraform (or similar), GitHub Actions (or similar), containers (ECS/EKS/GKE/Docker), Glue/EMR and automation
• Hands-on with SAST/SCA/secret scanning (CodeQL, Trivy, Snyk, OSV-Scanner), image signing (Cosign) and DAST basics
• IAM/KMS and network security (VPC, private subnets, NAT, ALB/WAF/Cloud Armor); org-level guardrails
• Observability (OpenTelemetry, CloudWatch/Cloud Logging, OpenSearch, Pydantic Logfire), incident response and DR execution
• Clear writing, pragmatic risk reduction and a bias to automate

Nice to have

• Supabase/PostgreSQL hardening, OpenSearch security, Redis/Upstash controls
• Clerk, Stripe and webhook security at scale
• Experience preparing for ISO 27001 or SOC 2 audits
• Policy-as-code (OPA), supply-chain security (SBOM, provenance/attestations)
• Cost-optimisation playbooks across AWS and GCP

Why you'll love Firmable

• Impact that ships:
  your work directly unlocks enterprise deals and safer scale across the world
• Small senior team:
  high trust, high ownership, minimal bureaucracy
• Problems that matter:
  secure data, AI and search at meaningful scale
• Flexibility:
  Hybrid in Melbourne with flexibility
• Growth
  : Grow with the company as we scale
• Collaborative culture
  — join builders who value curiosity, innovation and rapid learning

Ready to invent the next generation of AI-powered intelligence for sales teams worldwide?
Apply now — let's talk