Founding Backend Engineer at ACRIVAULT
About this role
We are hiring our Founding Backend Engineer — the second engineering hire after the Founding Lead Security Architect- and the engineer will turn the architect's specifications into production code. You will start as a four-month contract from Month 2 through the end of Month 5 and convert to full-time at the end of Month 4 upon successful contract completion. The conversion decision is made in Week 14 of the contract; full-time start is Week 17 (the beginning of Month 5).
You will build the platform's control-plane services, the Discovery pillar (discover-svc, scan-worker, identity-graph-service), and significant portions of the Identity Firewall hot path. You will work directly with the Lead Security Architect, who hands you specifications, OpenAPI contracts, and architecture decision records — your job is to translate those into shipped production code that passes the architect's seven evaluation criteria and the 4.5 ms p99 SLO.
What you'll build
● Control-plane services: api-gateway, auth-service (SSO, SAML, MFA, JWT, RBAC, SCIM), tenant-service (multi-tenant onboarding, wave feature flags), billing-service (Stripe integration, per-tier metering), notification-service, reporting-service.
● Discovery pillar (Wave 1): discover-svc (scan orchestrator with SQS dispatch), scan-worker (500 concurrent workers using boto3/GCP/Azure SDKs plus Bedrock/Vertex/OpenAI for AI model discovery), identity-graph-service (the source-of-truth identity graph in Neo4j, plus the AI-BOM schema).
● Identity Firewall hot path (Wave 3) in close partnership with the architect: portions of the PDP (stateless Go service, OPA-compiled policy bundles), the PIP cache (Redis-backed sub-millisecond attribute lookup), portions of injection-detect (Llama Guard plus heuristic enricher).
● The first three customer-side PEP form factors: the language SDK (Go and Python), the Envoy filter, and the gRPC sidecar.
● Integration with the polyglot data layer: PostgreSQL 15+ (relational, schema-per-tenant, RLS), Neo4j Aura (identity graph plus AI-BOM lineage), ClickHouse (time-series telemetry plus AI session events), Redis 7+ (PIP cache plus sessions), S3 (audit log with object-lock plus WORM), Elasticsearch (full-text search), and the new vector store (pgvector or OpenSearch k-NN).
Required qualifications
● 5+ years of production backend engineering, with strong fluency in Go (primary) and Python (secondary). Production experience in TypeScript is a plus.
● Direct production experience building multi-tenant SaaS at scale: tenant isolation patterns (schema-per-tenant, RLS, hybrid), per-tenant rate-limiting, per-tenant data residency.
● Experience building sub-50-ms p99 services. You understand pprof profiling, escape analysis, allocation control, GC tuning, and the difference between a fast-path and a slow-path in a hot service.
● Production experience with at least three of: PostgreSQL 15+, Neo4j or another graph database, ClickHouse or another columnar store, Redis at cluster scale, Kafka or another event bus, OpenAPI 3.0 contract-first development, AWS SDK for cloud-resource enumeration.
● Comfort with Kubernetes (EKS in production), Istio mTLS service mesh, ArgoCD GitOps deployment, and OpenTelemetry observability.
● Strong written communication. You will read architecture documents and write design notes back to the architect for review.
Strongly preferred
● Production experience with OPA (Open Policy Agent), Cedar, or another XACML-pattern policy engine.
● Familiarity with SPIFFE/SPIRE workload identity, the SVID issuance flow, and the federated trust model.
● Experience integrating with AI agent frameworks: LangChain, CrewAI, AutoGen, MCP servers, Bedrock, Vertex AI, OpenAI Assistants API.
● Prior cybersecurity SaaS engineering experience, especially in NHI security, IAM, PAM, or cloud security posture management (CSPM).
● Open-source contributions to relevant projects (OPA, SPIRE, Envoy, Istio, Kubernetes, Terraform, popular AI agent frameworks).