Senior Infrastructure Security Engineer

About Matter Labs

Matter Labs builds private settlement infrastructure that lets regulated institutions settle directly with each other without exposing data, ceding control, or waiting days. Global finance moves $4 quadrillion a year on systems designed for paper and telex. The institutions that built them - from DTCC to NYSE to the world's largest banks are now actively replacing them. We're building what comes next.

Our core product, Prividium, gives each institution its own private settlement environment (a Prividium Zone) with independent governance and built-in interoperability across counterparties, asset classes, and jurisdictions. Settlement happens through zero-knowledge proofs: one party proves a transaction is valid without revealing any underlying data to the counterparty. The only private settlement infrastructure built on zero-knowledge cryptography.

Founded in 2018. Backed by a16z and Union Square Ventures. A fully remote team of around 90 with eight years of production zero-knowledge infrastructure behind us, now pointed at the biggest problem in institutional finance.

About the role

Join Matter Labs as a Senior Infrastructure Security Engineer and help secure the corporate and production infrastructure that powers ZKsync. You'll own defenses across identity, endpoint, and detection-and-response. You'll partner closely with IT Ops, DevOps, Protocol Security, and Engineering to make security a default property of how we operate, not a checkpoint.

This role is ideal for someone who enjoys building durable detections instead of triaging noise, and is motivated by the mission of protecting open-source, decentralized infrastructure.

Matter Labs runs a deliberately lean, high-leverage security organization. You won't be one of fifty detection engineers. You'll own the corporate detection-and-response stack and have a direct line to the people building ZKsync. The work matters: this infrastructure protects an open-source ecosystem, the team behind it, and a meaningful chunk of value moving on Ethereum L2.

Key Responsibilities

• Identity & Collaboration Security Own the security configuration of our identity and collaboration stack: identity and access policies, third-party app governance, DLP, context-aware access, and admin audit. Drive least-privilege and phishing-resistant MFA across the org.

• Detection & Response Build, tune, and maintain detections. Design response playbooks for high-signal alerts, onboard new log sources, and own the detection-as-code pipeline. Reduce mean-time-to-detect and mean-time-to-respond on real incidents.

• Cloud & Infrastructure Security Harden our cloud footprint, Kubernetes clusters, and CI/CD pipelines. Review Infrastructure as Code for security regressions, embed guardrails, and partner with DevOps on secrets management and supply-chain controls.

• Endpoint Security Own the security posture of the endpoint estate, including MDM configuration, baseline hardening, EDR tuning, and endpoint telemetry. Make sure the controls hold up without making engineers' machines miserable to use.

• Incident Response Lead and participate in security incident investigations end-to-end: containment, forensics, root cause, remediation, and post-mortem. Improve runbooks and detections after every incident.

• Secure Systems Design Run threat models and architecture reviews for new internal systems and infrastructure changes. Translate findings into concrete, prioritized work, not lists of concerns.

• Cross-Team Collaboration Work alongside Protocol Security, DevOps, IT Ops, and Product Engineering. Raise risks constructively, write clearly, and influence without owning every system.

What We're Looking For

Must Have

• 5+ years of hands-on infrastructure or detection-and-response security experience.

• Production experience securing a cloud-based identity and collaboration platform at scale, beyond default settings. You can speak to specific policies you've implemented, third-party app governance you've run, and incidents you've worked.

• Hands-on experience with a modern SIEM and SOAR: writing detections, onboarding log sources, building response playbooks, and tuning to reduce false positives.

• Strong cloud security background, including IAM, network controls, workload identity, and organization-level guardrails.

• Practical experience securing a macOS-dominant endpoint fleet: MDM, endpoint hardening baselines, and EDR. Comfort reasoning about Mac-specific attack paths and telemetry.

• Familiarity with Infrastructure as Code, secrets management, and security automation.

• Real incident response experience. You've been on-call for security and led investigations to conclusion.

• Clear, constructive technical communication across engineering and non-engineering stakeholders.

Nice to Have

• Blockchain / Web3 exposure. Familiarity with the security considerations of decentralized infrastructure, validator/sequencer operations, key management for on-chain systems, or hot/cold wallet ops. Bonus for Ethereum, Solidity, or ZK-related background.

• Compliance framework experience with SOC 2 and ISO 27001. Helped a security team build or maintain controls under one or both frameworks, including evidence collection, control design, working with auditors, and mapping technical safeguards to control criteria. Comfort translating compliance requirements into real engineering work, without letting compliance dictate the engineering.

• Kubernetes security (admission control, runtime detection, supply chain).

• Detection engineering as code: Git-based rule management, CI for detections, purple-team validation.

• Experience in lean security teams where you've owned a domain end-to-end rather than a narrow slice.

Work model & pay

• Remote‑first: work wherever you’re most effective; optional travel to team or industry events. Ideally East Coast or European time zone.

• Freedom & ownership culture: no time tracking, minimum bureaucracy-only results matter.

For more on how we work, check out our Team Handbook