This is a remote position.
Berkeley Payment Solutions is a leading payment technology provider specializing in innovative solutions for businesses to manage and process payments seamlessly.
Candidates must be located in Canada for this role.
The Lead Security / DevSecOps Engineer will strengthen and maintain the company's security posture through secure development practices, infrastructure security controls, and DevSecOps principles. This hands-on role bridges software engineering, operations, and cybersecurity—ensuring security is integrated across the entire development lifecycle. The role involves leading secure CI/CD pipelines, cloud infrastructure hardening, automated threat detection, and compliance enforcement in direct collaboration with engineering, DevOps, and product teams.
Berkeley operates a cloud-native, Kubernetes-first platform on AWS. You will work directly with:
• IaC: Terraform 1.5+ (tf-environments, tf-shared-modules with 29+ reusable modules)
• Compute & Orchestration: Amazon EKS 1.28+, Karpenter v1.0.10+, Helm (25+ charts), Docker
• GitOps & CI/CD: ArgoCD (App-of-Apps), GitHub Actions, AWS CodeBuild, ECR, OIDC IAM roles
• Networking & Edge: Transit Gateway (hub-and-spoke), VPC multi-account, CloudFront, HAProxy Ingress
• Security: AWS WAF (JA3/JA4, OWASP rules), GuardDuty (9 accounts), IAM Identity Center, JumpCloud SAML, Secrets Manager, External Secrets Operator
• Data & Storage: Aurora Serverless v2 (PostgreSQL 14.17, MySQL 8.0), DynamoDB, ElastiCache Redis, S3
• Observability: Prometheus, Grafana, Loki Distributed, Promtail, AlertManager, PagerDuty
• Data Workflows: Argo Workflows, Spark Operator, Jupyter, 56+ scheduled jobs
• Applications: Elixir/Phoenix, Go, NestJS, React, RabbitMQ, SQS
• AI Operations: Claude Code for DevOps automation, IaC generation, and operational workflows
• Compliance: PCI-DSS, SOC 2 Type I/II, GDPR
• AWS Accounts: Multi-account strategy — Root, Dev, Staging, Production, CAMS Production
• Design and implement security controls across CI/CD pipelines (GitHub Actions, CodeBuild), Terraform IaC, and deployment workflows (ArgoCD, Helm charts).
• Integrate automated security scanning (SAST, DAST, dependency scanning, container image scanning) into CI/CD to detect vulnerabilities early.
• Harden EKS/Kubernetes, Docker, and AWS environments with best-practice configurations, Karpenter node policies, and Kubernetes security policies.
• Enforce least-privilege access and secrets management via AWS Secrets Manager and External Secrets Operator across all environments.
• Automate security and compliance tasks using Claude Code for IaC generation, infrastructure scripting, and security workflows.
• Manage SSL/TLS certificate renewals, CSP enforcement, and AWS WAF rules (JA3/JA4 fingerprinting, OWASP rule sets) protecting CloudFront edge infrastructure.
• Deploy and manage GuardDuty (9 accounts), Security Hub, and the Grafana-Loki-Prometheus stack to detect and respond to threats in real time.
• Develop and execute incident response playbooks, coordinating alerts through AlertManager, PagerDuty, and Slack.
• Configure alerting for unauthorized access, configuration drift, and anomalous behavior across the multi-account AWS environment.
• Analyze logs and telemetry from Grafana, Loki, Promtail, and Prometheus; monitor VPC Flow Logs, Transit Gateway traffic, and CloudFront access logs for anomalies.
• Lead compliance efforts for SOC 2 Type I/II, PCI-DSS, and GDPR, including automated enforcement and evidence collection within CI/CD and Terraform.
• Perform security risk assessments, gap analyses, and audits across all AWS accounts (Root, Dev, Staging, Production, CAMS).
• Collaborate with legal, compliance, and auditing stakeholders; conduct vendor and third-party risk assessments.
• Maintain centralized compliance documentation for frameworks, control implementations, and audit activities.
• Lead threat modeling and architecture reviews for services across Elixir/Phoenix, Go, NestJS, and React stacks.
• Define and enforce baseline security configurations (hardened AMIs, K8s security policies, Karpenter NodePool constraints, Security Groups).
• Conduct security reviews for Aurora Serverless v2 databases, message queues (RabbitMQ, SQS), and caching layers (ElastiCache Redis).
• Manage scalable infrastructure on AWS via Terraform (29+ shared modules), ArgoCD, and EKS across dev/stage/prod accounts.
• Build and maintain secure CI/CD pipelines using GitHub Actions and CodeBuild with ECR image management.
• Operate Kubernetes environments using Karpenter for intelligent node provisioning; oversee the Prometheus-Grafana-Loki-Promtail observability stack.
• Manage database infrastructure (Aurora Serverless v2, DynamoDB, ElastiCache), Transit Gateway networking, and CloudFront edge configurations.
• Implement and monitor SLOs, SLAs, and error budgets in collaboration with product and engineering.
• Leverage Claude Code for Terraform module development, Helm chart authoring, Kubernetes troubleshooting, and security policy generation.
• Use Claude Code to accelerate incident investigation, generate runbooks, and produce IaC patches.
• Build Claude Code-driven automation for certificate rotation, compliance checks, and environment provisioning.
• Evaluate AI-assisted tooling for the DevSecOps pipeline; mentor team members on effective Claude Code usage.
• Conduct security training tailored to engineers, product managers, and DevOps teams.
• Embed a DevSecOps-first mindset from ideation to deployment; facilitate post-incident reviews and drive remediation.
• Mentor team members on security practices, cloud infrastructure, Kubernetes operations, and observability.
• Maintain documentation for security standards, tooling, infrastructure configuration, and response procedures.
• Build a security and DevOps knowledge base aligned with existing architecture documentation.
• Track and report KPIs for system security, infrastructure reliability, and compliance maturity.
• 5+ years in DevOps, SRE, or Security Engineering with hands-on cloud infrastructure experience.
• Deep expertise with AWS (EKS, IAM, GuardDuty, WAF, Secrets Manager, Transit Gateway, CloudFront, Aurora, S3, DynamoDB, ElastiCache).
• Strong Kubernetes (EKS), Helm, ArgoCD, and container security experience.
• Proficiency in Terraform IaC, including module development and multi-environment management.
• Experience building and securing CI/CD pipelines with GitHub Actions and/or CodeBuild.
• Solid understanding of PCI-DSS, SOC 2, and/or GDPR compliance frameworks.
• Experience with observability stacks (Prometheus, Grafana, Loki) and incident response tooling (PagerDuty, AlertManager).
• Strong scripting skills (Bash, Python, or Go).
• Experience with Karpenter, HAProxy Ingress, or External Secrets Operator in Kubernetes.
• Experience securing Elixir/Phoenix, Go, or NestJS application stacks.
• Experience with Claude Code for infrastructure automation and operational scripting.
• Hands-on experience with Argo Workflows, Spark Operator, or data pipeline security.
• Experience with JumpCloud or similar identity providers for SAML/SSO.
• Background in payment technology, financial services, or PCI-compliant environments.
VetsEZ
General Dynamics Information Technology
Slingshot Aerospace
JumpCloud
E80 Group
Berkeley Payments
Berkeley Payments
Berkeley Payments