The Average Firmware Engineer Earns $165,000. Anthropic Is Paying $405,000 to Lock Down the Hardware Beneath Its AI Models

What Anthropic's Job Listings Actually Say

A Platform Hardware Security Engineer at Anthropic needs eight-plus years of systems security experience, at least five focused on firmware and hardware (bootloaders, UEFI/BIOS hardening, chain-of-trust implementation). The candidate should write C, Rust, and Assembly. The posting, listed across San Francisco, New York, Seattle, and Washington, DC, is no longer accepting applications, but Anthropic's careers page still shows 374 open roles, and the hardware-security cluster is growing.

The scope is what stands out. The engineer would design secure boot chains from firmware through OS initialization across CPUs, BMCs, switches, peripherals, and embedded microcontrollers. They would architect attestation systems providing cryptographic proof of system state from hardware root of trust through the application layer. They would build measured boot implementations, runtime integrity monitoring, and firmware analysis pipelines. The posting explicitly calls for experience with TPM, Intel TXT, AMD SEV, and ARM TrustZone, the full stack of hardware-based trust technologies most software engineers never touch.

This isn't a one-off. Anthropic added 25 roles in the past week alone, including a Platform Security Engineering position focused on OpenBMC, the open-source baseboard management controller firmware that manages server hardware at the lowest level. That role pays $405,000. The earlier Platform Hardware Security posting showed $300,000 to $320,000 on one board and $405,000 to $485,000 on another, suggesting either a level adjustment or a widening compensation band as demand for these skills intensifies.

The job description also reveals something about Anthropic's operational reality: the engineer must "integrate security controls with infrastructure teams without impacting training performance." That constraint, securing bare-metal infrastructure without slowing the massive GPU clusters running model training, is the core tension of this entire hiring push. Anthropic isn't bolting security onto an existing cloud setup. It's building security into the physical machines that run its AI workloads, from the moment power hits the board.

The required background reads like a wish list drawn from the semiconductor and defense industries: supply chain security, NIST firmware security guidelines, hardware security frameworks, contributions to open-source projects like coreboot and CHIPSEC, and experience with silicon root of trust implementations. Anthropic is competing for the same talent pool as chipmakers, cloud providers, and defense contractors, and paying accordingly.

Why an AI Safety Company Needs Firmware Engineers

The logic starts with a simple problem: Anthropic is scaling compute infrastructure to compete with OpenAI and Google, and its customers (enterprise and government) don't just want model safety. They want proof that the entire stack, from silicon to API, hasn't been tampered with.

CISA's vulnerability bulletin for the week of June 1, 2026, catalogs hundreds of newly disclosed flaws across the hardware and firmware landscape. Arista Networks' EOS carries multiple high-severity vulnerabilities allowing unauthorized configuration changes and full root access through crafted packets. Qualcomm's Snapdragon chipset, inside billions of Android devices, has a dozen memory corruption flaws in fastboot, Strongbox, and diagnostic services, several allowing unauthorized bootloader modification. FreeIPMI's ipmi-oem tool has exploitable buffer overflows in response message parsing. These aren't theoretical risks. They're the exact class of supply-chain and firmware-level weaknesses that become attack surfaces when an AI company runs its own bare-metal infrastructure at scale.

The strategic logic runs deeper. Anthropic's Transparency Hub explicitly states the company implements "inspection and control measures over our third-party supply chain to mitigate potential risks." But inspection only works if you have engineers who understand what they're inspecting, people who can read UEFI code, validate bootloader integrity, and verify that a BMC hasn't been flashed with a modified firmware image. When the Pentagon designated Anthropic itself as a supply chain risk in early 2026, the irony cut both ways: the government worried about Anthropic's products in federal systems, while Anthropic simultaneously worried about the integrity of the hardware those products run on.

Enterprise customers are asking for this. Anthropic's enterprise trust documentation emphasizes that the company provides SSO, SCIM, audit logs, and role-based permissions. But for regulated customers, financial services, defense contractors, and healthcare, identity and access management aren't enough. They want to know that the physical machine running their model inference hasn't had its firmware replaced with a keylogger, that the supply chain from fabrication to deployment hasn't been intercepted, and that the boot process is measured and attested.

This is the same pattern that played out in mobile. When Google started building its own Tensor chips and Titan security processors, it wasn't just about performance. It was about closing the gap between what the hardware guarantees and what the software assumes. Anthropic is making a parallel bet: that securing AI infrastructure requires owning the trust chain below the operating system.

The CISA bulletin makes the threat concrete. Vendors like ABB, D-Link, GL.iNet, and UTT have routers and industrial controllers with stack-based buffer overflows, command injection, and hardcoded credentials, all at the firmware level. If Anthropic is sourcing, deploying, and managing its own server fleets, every one of those vulnerability classes is a potential entry point. Firmware engineers who can audit OpenBMC builds, validate secure boot chains, and detect supply-chain tampering aren't a luxury. They're the difference between "we trust our hardware" and "we can prove our hardware hasn't been compromised."

The talent war for these specialists is quiet but intense. Chipmakers, cloud providers, and defense contractors all need the same people. Anthropic's pitch is unique: come secure the infrastructure that runs the most advanced AI models in the world, starting from the metal up.

A $13B War Chest and a Second Front

Anthropic closed a $13 billion Series F round in September 2025 at a $183 billion post-money valuation, nearly triple its $61.5 billion valuation from March. CNBC reported the round was led by Iconiq, Fidelity Management & Research Co., and Lightspeed Venture Partners, with Altimeter, General Catalyst, and Coatue also participating. The company said its run-rate revenue had crossed $5 billion by August, up from roughly $1 billion at the start of the year, serving more than 300,000 business customers.

That cash isn't going to marketing. It's going to people, specifically, to a category of engineer that most AI companies don't hire at all.

The skill set maps directly onto the talent pool at chipmakers like Intel, AMD, and Qualcomm, at cloud providers running custom silicon, and at defense contractors building hardened systems. Anthropic is pulling from all three.

The competitive context makes this legible. OpenAI is reportedly preparing a secondary share sale that would value it at roughly $500 billion. Google DeepMind continues to lead on public benchmarks. Anthropic's answer to both isn't just a better model. It's a more trustworthy stack, from the silicon up. Enterprise and government buyers, the customers driving that $5 billion run rate, care about supply chain integrity and firmware-level guarantees in a way that pure API providers can't easily match.

At $405,000 for a single platform security role, the firm is pricing itself against the top of the hardware-security market, not the AI-research market. That gap is the story. Most of the industry is still fighting over ML researchers. Anthropic is quietly opening a second front.

Salaries, Locations, and the Two-Coast Build

Anthropic's hardware-security hiring concentrates in San Francisco and New York, with Seattle as a third option for select roles. The compensation is consistent: the active mid-level posting shows a base of $405,000 per year, while the senior/expert listing showed $405,000–$485,000 base plus equity. A now-removed AI Platform Security Engineer listing showed $300,000–$405,000.

For context, Glassdoor puts the average firmware engineer salary across all industries at roughly $165,000. Anthropic is paying about 2.5x that, a premium reflecting how few engineers can work across firmware, hardware security, and large-scale distributed systems, and how much AI companies now need that combination.

The company's hybrid policy requires office presence at least 25% of the time, which for a role involving hardware-firmware collaboration means most hires will cluster around the SF and NYC offices.

The OpenBMC-focused Platform Security Engineering role sits at the same $405,000 pay point. That's another signal that the bare-metal security buildout isn't a one-off experiment. It's a sustained hiring pipeline, and the two-coast structure means candidates in either metro can interview without relocating.

AI's Trust Stack Is Moving Downward

Anthropic isn't alone in pushing security concerns below the software layer. Across the industry, companies building and deploying large models are starting to treat the hardware beneath those models as part of the safety problem, and hiring to match it.

The logic is straightforward. A model can be aligned, its outputs filtered, its training data audited. But if the firmware on the GPU server running that model has been tampered with, or if the boot process can be compromised before the operating system loads, none of that matters. The trust chain breaks at the lowest layer. For enterprise buyers, especially in defense, finance, and government, that gap is a dealbreaker. They want assurance not just that the model behaves, but that the entire stack beneath it hasn't been altered.

OpenBMC is open-source firmware for baseboard management controllers, the chips that monitor and manage server hardware out-of-band (meaning even when the main system is off). Hiring engineers to work at that level signals Anthropic is building or hardening its own server management stack, not relying on whatever a cloud provider ships by default. That's a meaningful architectural choice, and an expensive one.

Other AI companies are making quieter versions of the same bet. The broader pattern is a shift from treating infrastructure as a commodity rented from AWS or Google Cloud to treating it as a controlled perimeter. Custom firmware, measured boot processes, and hardware root-of-trust verification were once the exclusive concerns of chipmakers and defense contractors. Now they're showing up in job postings at AI labs.

Engineers with backgrounds in embedded systems, silicon validation, and supply-chain security are moving from semiconductor firms and government-adjacent contractors into AI companies. The skill set is rare and demand is climbing, which is part of why Anthropic's compensation for these roles sits at the top of the market.

What's happening is a redefinition of what "AI safety" means in practice. It started at the model level (RLHF, red-teaming, constitutional AI). It's now extending downward through the software stack and into the metal. The companies that can offer customers a verifiable chain of trust from silicon to output will have a structural advantage in the contracts that matter most. Anthropic is staffing for that advantage now, before the rest of the industry catches up.

Working in AI? Zero G Talent tracks the openings: browse AI jobs, openings at OpenAI and Anthropic, and the people building the field.