Senior Staff Security Engineer - Network Security

About Gusto

At Gusto, we're on a mission to grow the small business economy. We handle the hard stuff — payroll, health insurance, 401(k)s, and HR — so owners can focus on their craft and their customers. With teams in Denver, San Francisco, and New York, we support more than 500,000 small businesses nationwide and are building a workplace that reflects the people we serve.

All full-time employees receive competitive base pay, benefits, and equity (RSUs) — because everyone who helps build Gusto should share in its success. Offer amounts are determined by role, level, and location. Learn more about our Total Rewards philosophy.

AI is a fundamental part of how work gets done at Gusto. We expect all team members to actively engage with AI tools relevant to their role and grow their fluency as the technology evolves. AI experience requirements vary by role and will be assessed during the interview process.

About the Role:

We're looking for a Senior Staff Security Engineer to lead Gusto's edge and network security strategy, owning the design and operation of our Cloudflare WAF, DDoS protection, Zero Trust, and broader perimeter controls. The ideal candidate brings deep, hands-on Cloudflare expertise and a proven track record of hardening edge and network architectures at scale, including tuning WAF rulesets, defending through live DDoS events, and shipping Zero Trust rollouts engineers actually adopt. You think in terms of layered defense, measurable risk reduction, and automation over manual toil. In this role, you'll serve as a force multiplier across the security org, partnering with infrastructure and product teams to make high-impact architectural decisions that compound over time.

About the Team:

The Gusto's Enterprise Security Engineering team, a small but high-leverage group responsible for cloud security posture, edge and network defense, container security, secrets management, and endpoint protection across the company. The team runs a modern stack including Cloudflare, Wiz, CrowdStrike, Panther, and Tines, scaling impact through automation, IaC, and AI-augmented tooling. The work carries real stakes, protecting the payroll, benefits, and HR systems that hundreds of thousands of small businesses and their employees rely on every day. The team is engineering-first, with most of the roadmap living in code and a strong emphasis on partnering with infrastructure and product teams rather than gatekeeping them.

Here’s what you’ll do day-to-day:

• Design and operate Gusto's edge security stack including Cloudflare WAF, DDoS protection, Bot Management, WARP, Gateway, and Access, tuning rules against real traffic and shaping how engineers and operations teams reach internal systems securely.
• Own the network security perimeter across AWS and the edge: VPC design, Network Firewall, Shield, CloudFront, NACLs, and egress filtering, all codified in Terraform and Crossplane, observable, and consistently enforced.
• Develop policy-as-code patterns for WAF rules, network policies, and edge configuration so changes ship through pull requests with review, testing, and clean rollback paths.
• Build detections and alerting on edge and network telemetry including Cloudflare logs, VPC Flow Logs, and CloudTrail flowing into Panther, and lead incident response for perimeter and network events.
• Contribute broadly across the security engineering surface including cloud posture, container security, IAM, vulnerability management, and on-call, bringing a strong generalist instinct to wherever the work is most critical.
• Operate as an AI-native engineer, using Claude Code, MCP-driven tooling, and agentic workflows as a daily force multiplier across investigation, automation, and detection engineering.
• Prototype and ship agents, custom MCP servers, and LLM-assisted automations that compress security work from days to minutes and raise the bar for what one engineer can own.

Here’s what we're looking for:

• 10+ years of hands-on security engineering experience, with significant time owning edge, network, or perimeter security at scale.
• Deep, production-grade expertise with Cloudflare's security stack including WAF, DDoS, Bot Management, WARP, Gateway, and Access, covering rule tuning, incident response, and Zero Trust rollouts.
• Strong network architecture skills across edge and cloud: TLS/mTLS, segmentation, egress controls, DDoS resilience, and AWS networking including VPC, Network Firewall, Shield, CloudFront, and NACLs.
• Fluency with policy-as-code, Terraform, and CI/CD-first delivery of security controls; Crossplane or similar a plus.
• Solid generalist foundation across cloud security, IAM, container security, and detection engineering, with hands-on incident response experience on edge and network telemetry in a modern SIEM.
• AI-native working style with daily use of Claude Code or equivalent agentic tooling, and a track record of building AI-assisted workflows including custom MCP servers, agents, and LLM automations that compound team output.
• Excellent written and verbal communication; you can take a complex perimeter decision and explain the tradeoffs to a staff engineer, a PM, and a VP without changing the substance.
• Relevant certifications a plus including AWS Certified Advanced Networking Specialty, AWS Certified Security Specialty, Cloudflare Certified Security Associate/Professional, CKS, or equivalent.

Our cash compensation amount for this role is targeted at $210,000/yr to $230,000/yr in Denver & most remote locations, $230,000/yr to $270,000/yr for San Francisco, New York & Seattle. Stock equity is additional. Final offer amounts are determined by multiple factors including candidate experience and expertise and may vary from the amounts listed above.

Gusto has physical office spaces in Denver, San Francisco, and New York City. Employees who are based in those locations will be expected to work from the office on designated days approximately 2-3 days per week (or more depending on role). The same office expectations apply to all Symmetry roles, Gusto's subsidiary, whose physical office is in Scottsdale.

Note: The San Francisco office expectations encompass both the San Francisco and San Jose metro areas.

When approved to work from a location other than a Gusto office, a secure, reliable, and consistent internet connection is required. This includes non-office days for hybrid employees.

Our customers come from all walks of life and so do we. We hire great people from a wide variety of backgrounds, not just because it's the right thing to do, but because it makes our company stronger. If you share our values and our enthusiasm for small businesses, you will find a home at Gusto.

Gusto is proud to be an equal opportunity employer. We do not discriminate in hiring or any employment decision based on race, color, religion, national origin, age, sex (including pregnancy, childbirth, or related medical conditions), marital status, ancestry, physical or mental disability, genetic information, veteran status, gender identity or expression, sexual orientation, or other applicable legally protected characteristic. Gusto considers qualified applicants with criminal histories, consistent with applicable federal, state and local law. Gusto is also committed to providing reasonable accommodations for qualified individuals with disabilities and disabled veterans in our job application procedures. We want to see our candidates perform to the best of their ability. If you require a medical or religious accommodation at any time throughout your candidate journey, please fill out this form and a member of our team will get in touch with you.

Gusto takes security and protection of your personal information very seriously. Please review our Fraudulent Activity Disclaimer.

Personal information collected and processed as part of your Gusto application will be subject to Gusto's Applicant Privacy Notice.