Caruso

Cloud Security Engineer

Auckland April 21, 2026 Full Time

Cloud Security Engineer

Location: New Zealand

Caruso is the AI-native fund administration platform for private markets. We replace legacy systems with modern software and integrated services, helping fund managers save time, impress investors, and grow AUM.

Since launching just over two years ago, Caruso has grown rapidly to $80B+ in assets, 900+ funds, and 80,000+ investors on the platform. We just completed our Series A capital raise, and are looking for smart, ambitious people to help us build a global business.

Learn more at getcaruso.com.

Role Summary

You will own cloud security across Caruso's AWS-hosted infrastructure: protecting a platform that manages over $50B in assets for fund managers and their investors.

Working closely with the CTO and engineering team, you'll harden our AWS environments, ensure our ISO 27001:2022 ISMS controls remain effective, and embed security deeply into our development and release workflows.

This is a high-ownership, high-trust role with real scope to shape how security is done at a fast-scaling fintech.

What You’ll Do

• Multi-account AWS organisation (us-west-2 and ap-southeast-2) with strict environment separation across dev, staging, and production

• Amazon ECS Fargate: containerised Go microservices communicating over gRPC/Protobuf behind Cloudflare WAF

• Aurora MySQL (multi-AZ, three-instance clusters), RDS Proxy, DynamoDB, S3, Kinesis, Lambda, SQS

• VPC-isolated private subnets; production DB access via Tailscale + SSH bastion (engineering leads only)

• Terraform (IaC) on Terraform Cloud; GitHub Actions CI/CD; Docker image pipeline through AWS ECR

• Consul for service discovery; Datadog + CloudWatch for observability; CloudTrail + Control Tower for audit

• AI services (Python) operating within VPC, multi-provider (Anthropic, OpenAI, Gemini), Turbopuffer vector DB, Guardrail Agent

• Third-party integrations: Onfido (KYC), Cloudcheck (identity), Twilio, SendGrid, Segment

You might work on

• Continuous hardening of our AWS environment: IAM least-privilege, SCP policies, Security Hub findings, GuardDuty tuning

• Reviewing and improving our Cloudflare WAF rules, rate limiting, ASN/geo-blocking posture, and DDoS response playbooks

• Embedding security scanning (SAST, DAST, dependency audits, container image scanning) into our GitHub Actions CI/CD pipeline

• Maintaining and evolving ISO 27001:2022 ISMS controls, evidence collection, and audit readiness for SOC 2 Type II

• Architecting and documenting security controls for our investor wallet and payment flows to satisfy AML/CFT and AUSTRAC obligations

• Reviewing Terraform configurations and infrastructure PRs for security misconfigurations before they reach production

• Threat modelling for new features: particularly AI agent capabilities, vector search, and third-party API integrations

• Incident response planning, tabletop exercises, and post-incident reviews

Technology

• AWS: IAM, SCP, GuardDuty, Security Hub, CloudTrail, Control Tower, VPC, WAF, ACM

• Infrastructure as Code: Terraform, GitHub Actions, Docker

• Observability: Datadog, CloudWatch, CloudTrail

• Zero-trust networking: Tailscale, Cloudflare

• Programming context: Go (backend), Python (AI services), Next.js/Vercel (frontend)

• Compliance: ISO 27001:2022, SOC 2 Type II, AUSTRAC AML/CTF, ASIC

Linear.app (Jira is officially banned)

What We’re Looking For

Requirements

• 3+ years of hands-on cloud security experience, with deep AWS expertise

• Strong working knowledge of AWS IAM, SCP, GuardDuty, Security Hub, VPC security design, and CloudTrail

• Demonstrable experience embedding security tooling (SAST, container scanning, secrets detection) into CI/CD pipelines

• Familiarity with ISO 27001 or SOC 2: either implementing controls or operating within a certified environment

• Ability to review infrastructure-as-code (Terraform) and identify misconfigurations

• Comfortable operating in a fast-moving product engineering team — pragmatic, not compliance-theatre

• Bachelor degree or equivalent in Computer Science, Information Systems, Cybersecurity, or a related field

• Right to work in New Zealand

Nice to have

• Relevant certifications: AWS Security Specialty, CISSP, CISM, or similar

• Experience with fintech, payments, or financial services regulatory environments (AUSTRAC, ASIC, FMA)

• Exposure to AI/ML systems security: prompt injection, data exfiltration risks, model supply chain

• Scripting or tooling experience in Go or Python

Why Join Caruso?

• Own cloud security for a platform trusted with over $50B in assets

• Work directly with the CTO and engineers to embed security into how the product is built

• Operate with high autonomy and trust in a fast scaling tech environment

• Grow in the role alongside the business and shape Caruso’s security direction

Benefits

  • Comprehensive health insurance with Southern Cross.

  • Flexible work from home (WFH) arrangements. When in the office enjoy our premium office space with luxury fit-out and water views all within close proximity to Auckland's best bars and cafes.

  • Workstation package including Macbook Pro, dual screens, Apple peripherals, Airpod Pro noise-cancelling headphones.

  • 5 weeks annual leave after 2 years tenure, 6 weeks of annual leave after 3 years tenure.

  • Unlimited sick leave.

  • Extended parental leave.

Apply on company site

How well do you match this role?

Check My Resume