Senior Network Engineer

Why LeoLabs?

At LeoLabs, we’re building the living map of activity in space. Through our proprietary global radar network and AI-enabled analytics platform, we collect millions of measurements daily on more than 25,000 objects in low Earth orbit (LEO). Our radar-powered intelligence protects billions in assets, monitors adversarial behavior, and ensures safe operations for commercial and government missions.

We’re not just building technology, we are redefining global security, safety, and transparency in space. As orbital activity accelerates and threats grow more complex, LeoLabs is a trusted partner for Space Domain Awareness, Space Traffic Management, and Satellite Operations for top-tier space operators and allied defense organizations.

If you're looking to work on mission-critical challenges at the forefront of aerospace, national security, and AI, your impact starts here.

 *This position is remote in the United States.

The Opportunity

We are hiring a Senior Network Engineer to help design, implement, and operate the company’s next-generation secure network architecture.

The Senior Network Engineer will own critical workstreams across SASE/ZTNA, NAC, IPSec connectivity, network segmentation, cloud network integration, egress controls, firewall policy, and telemetry forwarding. The ideal candidate has strong hands-on experience securing hybrid environments that span corporate networks, cloud platforms, remote users, physical sites, and sensitive workloads.

This role is well suited for an engineer who can operate at both the design and implementation levels: designing secure patterns, building them, validating them, documenting them, and supporting their transition into steady-state operations.

Key Responsibilities

Secure Network Architecture and Zero Trust Access:

• Design and implement secure network patterns that enforce identity, device posture, segmentation, logging, and policy-based access across users, sites, workloads, and administrative paths.
• Implement and support SASE/ZTNA capabilities, including Cloudflare Government or comparable platforms, WARP/client access, private application access, gateway policies, DNS controls, and secure administrative access paths.
• Help eliminate direct public administrative access to workloads by routing privileged access through approved identity-aware and policy-enforced access layers.
• Develop network designs that support the principle that no workload, management interface, or privileged access path bypasses identity, policy, segmentation, and telemetry controls.

NAC and Physical Site Segmentation:

• Lead the design and rollout of Network Access Control for office, edge, and remote site environments.
• Implement or support 802.1X, RADIUS policy, device certificates, VLAN segmentation, and port-level admission control.
• Segment remote site networks into appropriate zones, such as telemetry, management, vendor/service, and out-of-band management networks.
• Assess switch, firewall, router, and edge-device readiness for NAC, IPSec, logging, and configuration baseline enforcement.

Remote Site and Edge Connectivity:

• Design secure remote site connectivity using IPSec/private tunnels, certificate-based authentication, route controls, firewall policies, and deterministic telemetry paths.
• Ensure edge and radar-site environments have no unnecessary public management exposure.
• Implement firewall forwarding, tunnel telemetry, configuration backup, drift detection, and site-level logging into centralized monitoring and SIEM platforms.
• Partner with Security, Cloud Engineering, SRE, and other Engineering teams to build detection and response use cases for tunnel anomalies, exposed management paths, unexpected peers, route changes, failed rekeys, and suspicious traffic patterns.

Cloud Network Integration:

• Design and support cloud network connectivity patterns across multiple cloud hosts and restricted workload zones.
• Implement or support hub-and-spoke architectures, transit gateways, vWAN, private endpoints, DNS resolver patterns, egress inspection, firewall policy, and workload security-group guardrails.
• Partner with Cloud Engineering to define baseline network guardrails for landing zones, including deny-public-admin policies, centralized egress, private admin paths, flow logging, routing standards, and tagging requirements.
• Support cloud network segmentation for Corporate IT, restricted workloads, and other uses.

Telemetry, Logging, and SOC Enablement:

• Ensure network logs are consistently forwarded into centralized telemetry and SOC platforms.
• Support data-source onboarding for firewall logs, VPN/IPSec logs, SASE logs, NAC events, DNS logs, VPC/NSG flow logs, and remote site device logs.
• Collaborate with the Head of IT and Security team to create network-focused detection content, response workflows, evidence artifacts, and runbooks.
• Help validate detection coverage through test events, tabletop exercises, port scans, tunnel checks, and configuration drift reviews.

Operations, Documentation, and Compliance Support:

• Create and maintain network diagrams, firewall rule documentation, routing designs, NAC policies, tunnel inventories, access paths, and operational runbooks.
• Support compliance evidence generation for government compliance, control areas related to access control, audit logging, communications protection, configuration management, and incident response.
• Participate in change control, architecture decision records, incident response, and post-implementation reviews.
• Work closely with Security, Cloud Engineering, SRE, IT Support, and other Engineering teams to ensure clean operational handoff.

Required Qualifications

• Must be eligible to obtain and maintain a U.S. personnel security clearance
• 5+ years of hands-on network engineering experience in enterprise, hybrid cloud, regulated, or security-focused environments.
• Strong experience with routing, switching, firewalling, VPNs, segmentation, DNS, NAT, TLS, certificates, and secure network design.
• Hands-on experience with firewall policy management, IPSec tunnels, site-to-site VPNs, route control, and secure edge connectivity.
• Experience implementing or operating NAC technologies, including 802.1X, RADIUS, VLAN assignment, device profiling, or certificate-based access.
• Experience supporting remote-access or Zero Trust access platforms such as Cloudflare, Zscaler, Palo Alto Prisma Access, Cisco Secure Access, or similar.
• Experience integrating network logs into SIEM or monitoring platforms.
• Working knowledge of cloud networking concepts in AWS and/or Azure, including VPCs/VNets, routing, security groups, NACLs, private endpoints, flow logs, transit gateways, vWAN, or cloud firewalls.
• Ability to write clear technical documentation, diagrams, implementation plans, runbooks, and operational procedures.
• Strong troubleshooting skills across network, identity, endpoint, cloud, and application access layers.

Preferred Qualifications

• Experience with Cloudflare Government, Cloudflare Zero Trust, WARP, Gateway, Access, or Magic WAN.
• Experience supporting CUI, ITAR, NIST 800-171, CMMC, FedRAMP, or other regulated environments.
• Experience with Microsoft Sentinel, Wiz, Dropzone AI, Splunk, Elastic, QRadar, or other SIEM/SOC platforms.
• Experience with infrastructure-as-code or policy-as-code tooling such as Terraform, CloudFormation, Bicep, Ansible, GitHub Actions, GitLab CI, or Azure DevOps.
• Experience building detection logic or response workflows for network anomalies, exposed admin services, tunnel failures, vendor access abuse, or cloud network drift.
• Experience with vendor-access segmentation, just-in-time access, privileged access management, and session logging.

Within 1 Month, you’ll:

• Complete onboarding and develop a working understanding of the architecture modernization strategy, current network estate, radar-site model, key stakeholders, operating model, and delivery priorities.
• Inventory corporate network paths, cloud network paths, radar-site connectivity, edge devices, firewalls, routers, switches, wireless systems, SASE/ZTNA capabilities, NAC readiness, VPN/IPSec tunnels, vendor paths, and privileged administrative access routes.
• Document current-state gaps in public management exposure, firewall policy hygiene, vendor access, shared or unmanaged admin paths, radar-site segmentation, tunnel authentication, route control, DNS, egress filtering, and logging coverage.
• Map available and missing telemetry sources for firewalls, VPN/IPSec, SASE, NAC, DNS, VPC/NSG flow logs, wireless, routing events, radar-site device logs, and configuration drift signals.
• Create an initial prioritized network modernization backlog with quick wins, risk rankings, dependencies, owners, implementation effort, and recommended sequencing for the first two quarters.
• Identify urgent containment opportunities such as exposed SSH/RDP/admin interfaces, unlogged tunnels, broad vendor access, stale firewall exceptions, unmanaged edge devices, and public management endpoints.

Within 3 Months, you’ll:

• Produce or materially contribute to the target network architecture for SASE/ZTNA, NAC, radar-site segmentation, private administrative access, cloud connectivity, centralized egress, and telemetry forwarding.
• Define standard network patterns for no-public-admin access, ZTNA ingress, full-tunnel versus application access, management VLANs, telemetry VLANs, vendor/service VLANs, out-of-band management, firewall policy, DNS, route control, and logging.
• Complete NAC and edge readiness assessment across priority offices and radar sites, including switch models, firmware, port counts, 802.1X/RADIUS/PKI requirements, hardware refresh needs, and rollout risks.
• Implement or lead priority containment improvements, including restricting public admin exposure, tightening firewall rules, forwarding firewall and tunnel logs, documenting high-risk vendor paths, and validating route and tunnel telemetry.
• Partner with Security, Cloud, and SRE teams to define the network telemetry data-source map, SIEM/Sentinel onboarding plan, retention assumptions, and top network detection use cases.
• Support key architecture decisions for radar data hosting, SASE scope, SIEM retention, NAC rollout sequence, and cloud network segmentation.
• Create project plans, change windows, implementation diagrams, validation steps, rollback plans, and runbooks for the 3-6 month buildout phase.

Within 6 Months, you’ll:

• Deploy or expand SASE/ZTNA for priority user groups, administrative paths, private applications, and high-risk vendor access routes.
• Begin NAC rollout or pilot across priority offices and radar sites using 802.1X/MAB, RADIUS policy, device certificates, VLAN assignment, and exception workflows.
• Migrate priority radar-site connectivity toward IPSec/private paths with certificate-based authentication, deny-inbound posture, route controls, egress allow-lists, local logging, and SIEM forwarding.
• Partner with Cloud Engineering to implement cloud network guardrails such as hub-and-spoke routing, transit gateway/vWAN patterns, private endpoints, centralized DNS, egress inspection, deny-public-admin rules, and flow logging.
• Onboard priority network telemetry into SIEM/SOC workflows and validate detections for public admin exposure, vendor path abuse, radar tunnel anomalies, unexpected peers, route changes, unauthorized devices, firewall drift, and suspicious egress.
• Create operational runbooks for radar tunnel anomalies, NAC failures, vendor-access exceptions, exposed management services, firewall rule changes, routing changes, and site isolation/containment.
• Establish repeatable configuration backup, device baseline, firewall review, route validation, drift detection, and change-control evidence processes.

Within 12 Months, you’ll:

• Scale SASE/ZTNA and NAC across priority offices, remote sites, remote users, administrative paths, and private applications with documented ownership, support model, and exception process.
• Ensure radar traffic uses private, authenticated, policy-gated paths where approved, with no unnecessary public management exposure, segmented telemetry and management networks, and centralized visibility.
• Standardize network guardrails across on-premises, edge, and cloud environments, including private admin paths, egress inspection, route governance, DNS controls, firewall review, flow logging, and public exposure detection.
• Operate centralized telemetry for firewall, SASE, NAC, IPSec, DNS, cloud flow logs, routing events, wireless, and radar-site device logs with detection content, response workflows, SOC handoff, and evidence retention.
• Reduce unmanaged vendor access, broad firewall exceptions, long-lived remote access exceptions, shared network administration paths, and unmonitored management interfaces through measurable remediation.
• Deliver reusable evidence artifacts for governmental and other regulatory/customer assurance, and internal risk reviews, including diagrams, rule exports, tunnel status, access logs, SIEM cases, change records, and drift reports.
• Help achieve the broader modernization outcome: every privileged path, ingress route, radar telemetry flow, and control-plane change is authenticated, authorized, segmented, logged, and continuously evaluated.

Perks and Benefits

• Global workforce: flexible remote/hybrid opportunities
• Work on complex, meaningful missions with real-world impact
• Unlimited paid time off for most roles
• Competitive salary and equity packages
• Comprehensive health, dental, and vision coverage
• Access to the forefront of commercial space operations and defense innovation

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identify, national origin, disability, or status as a protected veteran.