Sr. Security Engineer, Cloud Security

About Us Pocket FM is a leading audio entertainment platform that brings engaging, serialized fiction to millions of listeners across genres like romance, thriller, fantasy, and more. With over 130 million users globally and strong traction in markets like the US and Europe, we’re revolutionizing storytelling through audio. Our unique model combines free listening with micropayments for premium content, powering strong business growth.

In FY25, we reached an ARR of INR 2,000 crore, with over 100,000 hours of content on the platform. We're also at the forefront of innovation, leveraging AI-generated content to scale efficiently. Role Overview As a Senior Security Engineer in Cloud Security, you will be responsible for securing Pocket FM's multi-cloud infrastructure at scale.

You will work hands-on across our AWS and GCP environments, collaborate closely with DevOps, SRE, and engineering teams, and play a critical role in hardening our cloud footprint against evolving threats. This role is ideal for someone who thinks in terms of attack surfaces and misconfigurations, loves automating security guardrails, and wants to protect the infrastructure that serves millions of daily listeners. Key Responsibilities Cloud Security Posture Management Continuously assess and improve security posture across Pocket FM's AWS and GCP environments by identifying misconfigurations, enforcing security baselines, and driving remediation across accounts, projects, and services.

Operate and tune Wiz (primary CSPM) for continuous visibility into cloud risk, misconfigurations, and vulnerabilities; manage finding prioritization and remediation workflows with engineering teams. Detecting and remediate data exposure risks. S3 bucket policies, GCS permissions, public access misconfigurations, and encryption enforcement across storage services.

Maintain alignment with CIS Foundations Benchmarks for AWS and GCP, and contribute to Well-Architected / Architecture Framework reviews. Secrets Management Own and improve secrets management practices across AWS (Secrets Manager, SSM Parameter Store, KMS) and GCP (Secret Manager, Cloud KMS) ensuring secrets are not hardcoded in IaC, application code, or CI/CD pipeline configs. Enforce key rotation policies, audit secrets access patterns, and respond to leaked credential incidents end-to-end.

Collaborate with engineering teams to migrate away from hardcoded credentials and adopt secret manager integrations in application and infrastructure code. Infrastructure-as-Code (IaC) Security Review and secure IaC templates (Terraform strongly preferred; CloudFormation and GCP Deployment Manager a plus) to ensure infrastructure is provisioned securely from the start. Integrate IaC security scanning (e.g., Checkov or Wiz IaC) into CI/CD pipelines as pre-merge security gates.

Identity & Access Management Design, review, and enforce IAM policies, roles, and permissions following the principle of least privilege across AWS accounts and GCP projects. Manage and monitor access across SSO, federated identity setups, service accounts, and cross-account/cross-project trust relationships. Identify and remediate over-permissive roles, unused credentials, and privilege escalation paths.

Network Security Configure and maintain cloud network security controls including VPCs, security groups, firewall rules, WAF policies, and CDN configurations across AWS and GCP. Identify and close network-level exposure risks. Open ports, overly permissive ingress/egress rules, unprotected public endpoints, etc.

Container & Workload Security Secure containerized workloads across ECS, EKS, GKE, and Cloud Run by implementing image scanning, runtime protection, secrets management, and pod-level security policies. Enforce image provenance controls, base image hygiene, container registry scanning (ECR, Artifact Registry), and supply chain integrity for container builds. Threat Detection & Monitoring Deploy and tune cloud-native and third-party security monitoring tools.

AWS GuardDuty, Security Hub, GCP Security Command Center, and Wiz to detect anomalous activity, unauthorized access, and potential breaches. Develop detection rules and alerting logic for cloud-specific threat scenarios (e.g., credential theft, lateral movement, data exfiltration). Automation & Tooling Build automated security workflows, custom serverless remediations (Lambda, Cloud Functions), and internal tooling in Python or Bash to scale cloud security operations and reduce manual effort.

Develop auto-remediation playbooks for common misconfiguration findings surfaced by Wiz or cloud-native tools. Incident Response Participate in cloud security incident investigations, perform root cause analysis using cloud-native logging (CloudTrail, GCP Audit Logs), and contribute to runbooks and playbooks for cloud-specific incident scenarios. Compliance & Security Architecture Support cloud-related audit and compliance requirements (SOC 2, ISO 27001) by maintaining evidence, documenting controls, and ensuring alignment with security frameworks.

Provide security input on new architecture designs, service adoptions, and cloud migration or multi-cloud expansion initiatives to ensure security is considered from day one. Skills & Qualifications Must-Have 4+ years of hands-on experience in cloud security, infrastructure security, or a related security engineering role. Strong hands-on expertise with AWS and/or GCP; covering IAM, network security, compute and storage security, encryption and key management, and cloud-native security tooling.

Hands-on experience with Wiz or a comparable CSPM platform (Prisma Cloud, Orca, or cloud-native equivalents) for posture management and risk prioritization. Experience managing secrets in AWS (Secrets Manager, SSM Parameter Store, KMS) and/or GCP (Secret Manager, Cloud KMS), including rotation, auditing, and incident response for leaked credentials. Experience securing CI/CD pipelines and reviewing Infrastructure-as-Code (Terraform strongly preferred).

Working knowledge of container security. Docker, Kubernetes, and managed services like EKS/GKE including image scanning, runtime security, and orchestration-level controls. Proficiency in scripting and automation using Python, Bash, or Go for security tooling and automated remediation.

Solid understanding of cloud security architecture patterns. Network segmentation, encryption at rest and in transit, secrets management, and zero-trust principles. Familiarity with CIS Foundations Benchmarks (AWS & GCP) and Well-Architected / Architecture Frameworks.

Strong networking fundamentals. TCP/IP, DNS, TLS, load balancing, and how they map to cloud constructs. Strong communication and collaboration skills; ability to work with DevOps, SRE, and engineering teams and drive security outcomes without being a bottleneck.

Good to Have: Cloud security certifications: AWS Security Specialty, Google Professional Cloud Security Engineer, CKS (Certified Kubernetes Security Specialist), or equivalent. Familiarity with service mesh security (Istio, Envoy) and API gateway security patterns. Exposure to DRM, content protection, or media streaming infrastructure security.

Familiarity with chaos engineering or adversarial simulation in cloud environments. Prior experience in a consumer tech, media, or high-scale platform company. You can get more updates, insights and everything behind the scenes at Pocket FM here - Pocket FM