Compare your current skills to what this opportunity needs—we'll show you what you already have and what could strengthen your application.
Job Description
Security and Infrastructure Architect TokenWorks - 4.0 Bronxville, NY Job Details Full-time $110,000 - $130,000 a year 1 day ago Benefits Health insurance Dental insurance Paid time off Vision insurance 401(k) matching Qualifications Cloud identity and access management (IAM) Google Workspace Mobile device support Incident management IT user and group management Remote access software Azure AD Vulnerability management Identity and access management (IAM) architecture design Cloud compliance Productivity software Desktop administration CompTIA Security+ Identity & access management Full Job Description About the job Please Read Section Before Applying About us We are a B2B hardware/software company building identity-verification and document-processing technology for regulated industries. We're a tight, ~20-person, engineering-heavy team pursuing SOC 2 Type II certification this year. We run on Microsoft Azure, use Microsoft Entra ID for identity management and Intune for device management, and use Google Workspace for productivity — with plans to link Google Workspace to Entra in the very near future. We back it all with a modern security stack (Huntress, SpearTip, Vanta, Aikido, Cloudflare). About the role We're hiring a Senior Microsoft security expert to design, build, and run our security and identity infrastructure end to end. This is a hands-on architect role for someone who has done exactly this for other companies and can bring proven patterns rather than learn on ours. You'll own everything from Entra and Intune to the office firewall, integrate it all into Vanta for SOC 2, and work shoulder-to-shoulder with our engineers to bake security into the product. We also want our security systems designed to take advantage of
AI:
while solid security fundamentals come first, we value someone who can creatively apply AI to automate tasks and improve our ability to detect and respond to threats and vulnerabilities. What you'll do
Architect Microsoft Entra ID:
Conditional Access, MFA, PIM with just-in-time elevation, break-glass accounts, and an admin model with no standing Global Admins on day-to-day accounts.
Own Microsoft Intune:
secure all laptops and mobile devices — compliance, configuration, BitLocker, app protection — and build unified onboarding/offboarding.
Secure Microsoft Azure:
RBAC, Defender for Cloud, Key Vault, Azure Policy, and dev/staging/prod separation.
Design the office network:
firewall hardening, VLAN segmentation, secure remote access with MFA, IDS/IPS, and centralized logging. Secure Google Workspace with
Entra:
federate identity and enforce consistent MFA and posture across both ecosystems.
Run security operations:
operate EDR/MDR and identity-threat tooling (Huntress), manage the SpearTip IR retainer, run incidents and tabletops.
Drive vulnerability management:
track and remediate findings from Defender for Cloud and Aikido with the engineering team.
Apply AI to security:
creatively use AI to automate routine security tasks and sharpen threat and vulnerability detection and response across the stack.
Partner with engineering:
secure SDLC, deployment-approval gates, and secrets management so security is designed in.
Secure our SaaS apps:
Zoho One, Linear, Claude, GitHub and more — SSO, least privilege, MFA, clean offboarding. Own SOC 2 /
Vanta:
integrate access and audit logs from every system into Vanta, keep connectors green, and partner with our external SOC 2 advisor through the audit. What you bring A proven history of designing, implementing, and operating Microsoft-centric security stacks for other companies. Deep Entra ID expertise — Conditional Access, PIM/JIT, break-glass, admin tiering, eliminating standing Global Admin rights. Expert-level Intune for endpoint and mobile management.
Strong Azure security:
RBAC, Defender for Cloud, Key Vault, Azure Policy, network security. Hands-on EDR/MDR and incident response — Huntress, SpearTip, SentinelOne, CrowdStrike, or Defender. Vulnerability management with Defender for Cloud and a scanner like Aikido or Snyk. Google Workspace administration and federating it with Entra. Network/firewall hardening and segmentation. SOC 2 evidence experience; Vanta (or Drata/Secureframe) hands-on strongly preferred. Solid scripting (PowerShell/Graph, Python, or Bash) and excellent documentation. Programming skills — including the ability to use AI to generate code — are preferred. Nice to have Experience as the architect or first security hire who built a program from scratch. Multi-IdP (Entra + Google Workspace) production experience.
Certifications:
AZ-500, SC-200, SC-300, MS-102, Security+, CISSP, or GIAC. Cloudflare Zero Trust device-posture deployment. What's in it for you A foundational, high-autonomy role with direct CEO visibility and real budget authority for the security stack. A greenfield mandate design it the right way, with proven patterns, instead of inheriting tech debt. A modern, well-funded toolset; you won't be duct-taping a legacy stack. Competitive base salary commensurate with experience, plus full medical/dental/vision, generous 401(k) match, PTO, and an annual budget for certifications and training. Possible hybrid work 3 days/week on site in the Metro NY area. If you have what it takes to design and run a best-in-class security and identity infrastructure, you are encouraged to apply today. Please upload your resume here. Then click on this link to complete an application, a 15-minute screening test (https://www.ondemandassessment.com/o/JB-VAPU9Q60I/landing?u=1187681), and upload your resume. Applicants who do not use the link will not be able to submit a resume.
Pay:
$110,000.00 - $130,000.00 per year
Benefits:
401(k) matching Dental insurance Health insurance Paid time off
