RoonCyber · 3 hours ago
Senior Security Architect - Runtime CNAPP / CADR
United States
Full-time
Remote
Senior Level, Lead/StaffRoonCyber is building a next-generation Cloud Application Detection & Response (CADR) and Runtime CNAPP platform focused on real-time attack detection and response. They are seeking a Senior Security Architect to own and architect the security intelligence layer of the platform, including risk modeling, event correlation, and incident response workflows.
Computer & Network Security
Responsibilities
Own and evolve our PASTA-based risk model across cloud inventory, runtime behavior, and security events
Architect probabilistic and contextual risk scoring across:
Assets (workloads, identities, data, services)
Vulnerabilities (static + runtime)
Misconfigurations
Active exploit signals
Map business impact × exploitability × exposure × runtime evidence
Define risk normalization across cloud providers, platforms, and environments
Ensure risk outputs are explainable and defensible to SOC, engineering, and leadership
Design and own the event correlation architecture across:
Runtime sensors (eBPF, language-level hooks)
CNAPP sources (CSPM, CWPP, CIEM, DSPM)
Cloud-native telemetry (CloudTrail, VPC Flow Logs, audit logs)
External intel and enrichment (TI feeds, CVE metadata, exploit availability)
Define correlation primitives (time, identity, workload, process, network, code path)
Design incident aggregation logic (single-event → multi-stage incidents)
Eliminate alert duplication while preserving forensic fidelity
Drive incident confidence scoring and prioritization
Architect attack-path analysis that reflects how attackers actually move, not theoretical graphs
Design attack path modeling across:
IAM role chains & privilege escalation
Network reachability & lateral movement
Service-to-service trust relationships
Runtime process ancestry and execution chains
Define traversal depth limits, confidence scoring, and path explosion controls
Enable “how did this happen” and “what could be next” reasoning for SOC and IR teams
Translate attack paths into clear responder guidance
Architect solution workflows that support real SOC and engineering outcomes, including:
Incident response & containment
Vulnerability prioritization (runtime-aware)
Misconfiguration remediation
Sensitive data exposure analysis
IAM over-permissioning and abuse detection
Define workflow states, ownership transitions, and automation hooks
Balance SOC speed with developer usability
Ensure workflows align with how security teams actually operate
Contribute directly to detection design and classification strategy
Help define detection logic across:
Runtime syscall and behavior signals
Application-layer exploits
Abuse-of-legitimate-features patterns
Map detections to MITRE ATT&CK (tactics, techniques, sub-techniques)
Influence governance frameworks and policy enforcement models
Ensure detections are high-signal, explainable, and resilient to evasion
Qualification
Required
Strong background in red team, offensive security, or adversary simulation
Deep understanding of cloud platforms (AWS/Azure/GCP)
Deep understanding of Kubernetes and containerized workloads
Deep understanding of IAM systems and privilege models
Experience designing or operating detection & response platforms
Experience designing or operating SIEM/XDR/CNAPP systems
Experience designing or operating attack path or blast radius analysis
Practical coding experience in one or more: Rust, Go, C, C++
Familiarity with eBPF concepts and kernel-level telemetry
Familiarity with runtime instrumentation and syscall tracing
Familiarity with event pipelines and distributed systems
Benefits
Competitive compensation + equity
Company
RoonCyber
RoonCyber delivers complete, unified cloud security with Runtime CNAPP combined with Cloud Application Detection and Response (CADR).
11-50 employees
Funding
Current Stage
Early StageCompany data provided by crunchbase