Senior Cybersecurity Engineer

ON.energy is building the power infrastructure that makes the AI era possible. As AI demand surges past what the grid and traditional data centers can support, ON.energy provides a new class of power technology proven at gigawatt scale and trusted by the world’s leading cloud and AI companies. Our systems are already deployed across 2.5 GW of hyper-scale campuses, validated by top U.S. national labs, and certified for grid-safe operation by major utilities. With real products in the field, we’re scaling faster than the grid can, transforming power from a bottleneck into a competitive advantage for the companies building the future.

We are looking for a Senior Cybersecurity Engineer to architect and implement technical security controls for our grid-connected energy portfolio. As we scale our operations, we need a hands-on engineer to secure the entire data lifecycle - from the industrial control systems (OT) at the edge, through the cloud telemetry pipeline, to the corporate dashboards.

This is a builder role. You will be responsible for deploying and managing our core security infrastructure - specifically Wazuh and Authentik - to secure our AWS environments and operational field assets. You will work directly with control systems engineers and DevOps teams to build security into our backbone.

Responsibilities will include: 

Cloud & Infrastructure Security

• Cloud Architecture: Secure the AWS infrastructure that hosts our energy management platforms. Implement hardening baselines and manage security groups for cloud resources
• SIEM & Observability (Wazuh): Architect a centralized and on-prem SIEM deployment to ingest logs from CloudTrail, VPC Flow Logs, and Linux servers. Configure custom decoders to detect threats across both cloud and on-prem environments
• Infrastructure as Code (IaC): Review and secure Terraform/CloudFormation scripts. Manage security configurations (including Wazuh agents and Authentik outposts) via Ansible or similar automation tools
• IoT/Edge Security: Secure the telemetry pipeline from the edge device (site controller) to the cloud, ensuring encryption (TLS 1.2/1.3) and proper certificate management (PKI) for edge

Identity & Access Management (IAM)

• Unified IAM (Authentik): Architect Authentik as the central Identity Provider (IdP), enforcing MFA and SSO across cloud consoles, internal engineering tools, and Grafana dashboards
• Least Privilege: Engineer granular IAM roles for cloud resources and service accounts, ensuring that automated services have only the permissions necessary to function

Operational Technology (OT) Security

• Network Segmentation: Design and implement IEC 62443-aligned network architectures (Purdue Model), strictly controlling traffic between the IT, Cloud, and OT zones
• Vulnerability & Integrity Monitoring: Deploy Wazuh agents on industrial PCs and HMIs to perform File Integrity Monitoring (FIM) and vulnerability scanning without disrupting critical real-time processes
• Industrial Protocols: Analyze and secure communications (Modbus, DNP3) to ensure integrity between field assets and control centers

Requirements:

• 5–8 years of technical cybersecurity experience, with a specific blend of Cloud/Linux Engineering and OT/Industrial exposure
• Proven experience working with industrial control systems (ICS), SCADA, or utility/energy infrastructure
• Deep expertise in securing Linux-based cloud environments and managing infrastructure via code
• Comfortable debugging a failed Wazuh agent on a Linux server or tracing a dropped packet in a cloud VPC
• Tailoring flexible open-source tools to fit specific architectural needs rather than relying solely on "black box" commercial vendors

Technical stack proficiency: 

• Wazuh: Deep experience deploying managers/agents, writing custom rules/decoders, and tuning FIM/SCA modules for low-noise environments
• Authentik: Experience configuring Providers (OIDC, SAML), Outposts, and proxying legacy applications
• Cloud Platforms: Proficiency with AWS (GuardDuty, IoT Core, IAM) or Azure (Defender for IoT, Entra ID)

Preferred experience:

• Experience with Docker/Kubernetes security in an edge computing context
• Knowledge of industrial protocols (Modbus TCP, DNP3, IEC 61850)
• Certifications: GICSP, GRID, AWS Certified Security – Specialty

For US-based roles - What you’ll get:

• Competitive salary + annual performance-based bonus eligibility
• Medical, dental, and vision insurance
• 401(k) with company match
• Paid time off and company holidays 

For Mexico-based roles - What you’ll get:

• Competitive salary + annual performance bonus eligibility
• Christmas Bonus (Aguinaldo): 30 days
• Major medical expenses and life insurance
• Paid time off and holidays (per local policy)

For all roles:

• Professional development and growth opportunities
• Opportunity to grow with a mission-driven team shaping the future of clean energy
• Equal Opportunity: ON.energy is committed to equal employment opportunity and to maintaining a work environment free of harassment, discrimination, or retaliation.
• Accommodations: If you need an accommodation during the application process, email recruitment@onenergystorage.com
• Benefits vary by role and location and are subject to change.