Note: The job is a remote job and is open to candidates in USA. Gusto is on a mission to grow the small business economy by handling payroll, health insurance, 401(k)s, and HR. They are seeking a Senior Staff Security Engineer to lead the edge and network security strategy, focusing on the design and operation of security measures such as Cloudflare WAF and DDoS protection.
Responsibilities
- Design and operate Gusto's edge security stack including Cloudflare WAF, DDoS protection, Bot Management, WARP, Gateway, and Access, tuning rules against real traffic and shaping how engineers and operations teams reach internal systems securely
- Own the network security perimeter across AWS and the edge: VPC design, Network Firewall, Shield, CloudFront, NACLs, and egress filtering, all codified in Terraform and Crossplane, observable, and consistently enforced
- Develop policy-as-code patterns for WAF rules, network policies, and edge configuration so changes ship through pull requests with review, testing, and clean rollback paths
- Build detections and alerting on edge and network telemetry including Cloudflare logs, VPC Flow Logs, and CloudTrail flowing into Panther, and lead incident response for perimeter and network events
- Contribute broadly across the security engineering surface including cloud posture, container security, IAM, vulnerability management, and on-call, bringing a strong generalist instinct to wherever the work is most critical
- Operate as an AI-native engineer, using Claude Code, MCP-driven tooling, and agentic workflows as a daily force multiplier across investigation, automation, and detection engineering
- Prototype and ship agents, custom MCP servers, and LLM-assisted automations that compress security work from days to minutes and raise the bar for what one engineer can own
Skills
- 10+ years of hands-on security engineering experience, with significant time owning edge, network, or perimeter security at scale
- Deep, production-grade expertise with Cloudflare's security stack including WAF, DDoS, Bot Management, WARP, Gateway, and Access, covering rule tuning, incident response, and Zero Trust rollouts
- Strong network architecture skills across edge and cloud: TLS/mTLS, segmentation, egress controls, DDoS resilience, and AWS networking including VPC, Network Firewall, Shield, CloudFront, and NACLs
- Fluency with policy-as-code, Terraform, and CI/CD-first delivery of security controls; Crossplane or similar a plus
- Solid generalist foundation across cloud security, IAM, container security, and detection engineering, with hands-on incident response experience on edge and network telemetry in a modern SIEM
- AI-native working style with daily use of Claude Code or equivalent agentic tooling, and a track record of building AI-assisted workflows including custom MCP servers, agents, and LLM automations that compound team output
- Excellent written and verbal communication; you can take a complex perimeter decision and explain the tradeoffs to a staff engineer, a PM, and a VP without changing the substance
- Relevant certifications a plus including AWS Certified Advanced Networking Specialty, AWS Certified Security Specialty, Cloudflare Certified Security Associate/Professional, CKS, or equivalent
Benefits
- All full-time employees receive competitive base pay, benefits, and equity (RSUs) — because everyone who helps build Gusto should share in its success.
- Stock equity is additional.
- Gusto has physical office spaces in Denver, San Francisco, and New York City.
- Employees who are based in those locations will be expected to work from the office on designated days approximately 2-3 days per week (or more depending on role).
- When approved to work from a location other than a Gusto office, a secure, reliable, and consistent internet connection is required.
- Gusto is proud to be an equal opportunity employer.
- Gusto considers qualified applicants with criminal histories, consistent with applicable federal, state and local law.
- Gusto is also committed to providing reasonable accommodations for qualified individuals with disabilities and disabled veterans in our job application procedures.
Company Overview
Company H1B Sponsorship