Senior Cybersecurity Engineer

ON.energy is building the power infrastructure that makes the AI era possible. As AI demand surges past what the grid and traditional data centers can support, ON.energy provides a new class of power technology proven at gigawatt scale and trusted by the world’s leading cloud and AI companies. Our systems are already deployed across 2.5 GW of hyper-scale campuses, validated by top U.S. national labs, and certified for grid-safe operation by major utilities. With real products in the field, we’re scaling faster than the grid can, transforming power from a bottleneck into a competitive advantage for the companies building the future.We are looking for a Senior Cybersecurity Engineer to architect and implement technical security controls for our grid-connected energy portfolio. As we scale our operations, we need a hands-on engineer to secure the entire data lifecycle - from the industrial control systems (OT) at the edge, through the cloud telemetry pipeline, to the corporate dashboards.This is a builder role. You will be responsible for deploying and managing our core security infrastructure - specifically Wazuh and Authentik - to secure our AWS environments and operational field assets. You will work directly with control systems engineers and DevOps teams to build security into our backbone.Responsibilities Will IncludeCloud & Infrastructure SecurityCloud Architecture: Secure the AWS infrastructure that hosts our energy management platforms. Implement hardening baselines and manage security groups for cloud resourcesSIEM & Observability (Wazuh): Architect a centralized and on-prem SIEM deployment to ingest logs from CloudTrail, VPC Flow Logs, and Linux servers. Configure custom decoders to detect threats across both cloud and on-prem environmentsInfrastructure as Code (IaC): Review and secure Terraform/CloudFormation scripts. Manage security configurations (including Wazuh agents and Authentik outposts) via Ansible or similar automation toolsIoT/Edge Security: Secure the telemetry pipeline from the edge device (site controller) to the cloud, ensuring encryption (TLS 1.2/1.3) and proper certificate management (PKI) for edgeIdentity & Access Management (IAM)Unified IAM (Authentik): Architect Authentik as the central Identity Provider (IdP), enforcing MFA and SSO across cloud consoles, internal engineering tools, and Grafana dashboardsLeast Privilege: Engineer granular IAM roles for cloud resources and service accounts, ensuring that automated services have only the permissions necessary to functionOperational Technology (OT) SecurityNetwork Segmentation: Design and implement IEC 62443-aligned network architectures (Purdue Model), strictly controlling traffic between the IT, Cloud, and OT zonesVulnerability & Integrity Monitoring: Deploy Wazuh agents on industrial PCs and HMIs to perform File Integrity Monitoring (FIM) and vulnerability scanning without disrupting critical real-time processesIndustrial Protocols: Analyze and secure communications (Modbus, DNP3) to ensure integrity between field assets and control centersRequirements5–8 years of technical cybersecurity experience, with a specific blend of Cloud/Linux Engineering and OT/Industrial exposureProven experience working with industrial control systems (ICS), SCADA, or utility/energy infrastructureDeep expertise in securing Linux-based cloud environments and managing infrastructure via codeComfortable debugging a failed Wazuh agent on a Linux server or tracing a dropped packet in a cloud VPCTailoring flexible open-source tools to fit specific architectural needs rather than relying solely on "black box" commercial vendorsTechnical Stack ProficiencyWazuh: Deep experience deploying managers/agents, writing custom rules/decoders, and tuning FIM/SCA modules for low-noise environmentsAuthentik: Experience configuring Providers (OIDC, SAML), Outposts, and proxying legacy applicationsCloud Platforms: Proficiency with AWS (GuardDuty, IoT Core, IAM) or Azure (Defender for IoT, Entra ID)Preferred ExperienceExperience with Docker/Kubernetes security in an edge computing contextKnowledge of industrial protocols (Modbus TCP, DNP3, IEC 61850)Certifications: GICSP, GRID, AWS Certified Security – SpecialtyFor US-based Roles - What You’ll GetCompetitive salary + annual performance-based bonus eligibilityMedical, dental, and vision insurance401(k) with company matchPaid time off and company holidays For Mexico-based Roles - What You’ll GetCompetitive salary + annual performance bonus eligibilityChristmas Bonus (Aguinaldo): 30 daysMajor medical expenses and life insurancePaid time off and holidays (per local policy)For All RolesProfessional development and growth opportunitiesOpportunity to grow with a mission-driven team shaping the future of clean energyEqual Opportunity: ON.energy is committed to equal employment opportunity and to maintaining a work environment free of harassment, discrimination, or retaliation.Accommodations: If you need an accommodation during the application process, email recruitment@onenergystorage.comBenefits vary by role and location and are subject to change.