Senior DevOps/DevSecOps Engineer

Department: Security | Reports to: DevSecOps Lead 

ExpressVPN is looking for a Senior DevOps / DevSecOps Engineer to join our DevSecOps team and help us run, secure, and continuously improve the cloud infrastructure that powers our VPN, identity, payments, and AI services across multiple AWS accounts and regions. This is a hands-on engineering role for someone who is comfortable owning systems end-to-end — from an OpenTofu module to a production EKS cluster — and who treats security as a first-class concern rather than an afterthought. 

Who you are 

You're a natural problem solver, comfortable in ambiguity, and you ask the questions that need to be asked. A lack of clarity is something you can't settle for, and you push back when the balance between effort and impact seems off. 

You have a growth mindset — collaborative, willing to hear ideas from your colleagues, and equally willing to share your knowledge and mentor others. You think in systems, you care about blast radius, and you'd rather spend an hour writing an OpenTofu module the right way than copy-paste-edit your way through a fleet outage at 3 AM. 

What you'll do 

You'll own and evolve large parts of our cloud platform, with a strong DevSecOps lean. You can expect to: 

• Design, build, and maintain AWS infrastructure across multiple accounts and regions using OpenTofu / Terraform managed via Scalr (TACOS), built on top of our shared module library. 
• Operate and improve our Amazon EKS fleet — multiple production and staging clusters across us-east-1, eu-central-1, and APAC — covering node lifecycle, HPA tuning, IRSA, networking, upgrades, and capacity planning. 
•  Build and maintain CI/CD pipelines in GitHub Actions — Docker build/push to ECR, ECS task-definition register/update, Helm chart deploys, and reusable workflows that other teams compose against. 
• Run and improve our observability stack — Grafana, Prometheus, Loki, Tempo — including the collection pipelines (Grafana Agent on EKS, ADOT collector sidecars on ECS Fargate). Help engineers turn “no data” into good signal without blowing up cardinality or cost. 
• Own and extend our zero-trust access model based on Pomerium — onboarding new internal services, defining group-based access policies in Okta, and helping app teams trust JWT headers instead of rolling their own auth. 
• Harden our identity and access posture — Okta-driven AWS SSO, IAM role design, secret rotation, OPA policies for IaC, and routine review of CVE exposure across our container images and managed services. 
•  Provide a small but meaningful footprint of release engineering for our desktop and mobile clients (Windows, Linux, Apple, Android) — automation, signing, artifact distribution, and release-pipeline maintenance.
• Develop and maintain Python (and other-language) tooling to automate release pipelines, deployment workflows, AWS housekeeping, and cross-account operations. 
• Partner with product engineering teams to integrate new services into the platform — VPC wiring, service discovery, observability defaults, secrets, deploy pipeline. 
• Act as a liaison between product engineering and the operations / TrustedServer teams that maintain VPN and on-prem infrastructure. 
•  Mentor more junior engineers, lead by example on operational rigor, and help the team raise the bar on DevSecOps best practices. 

What you'll bring 

• 6–8 years of hands-on experience in a DevOps, DevSecOps, SRE, or Platform Engineering role. 
• Bachelor's degree in Computer Science, Engineering, or equivalent practical experience. 
• Strong working knowledge of AWS — VPC, IAM, ECS Fargate, EKS, Lambda, Step Functions, S3, SQS, Route53, ALB/NLB, KMS — across multi-account environments. 
• Production experience with OpenTofu or Terraform at scale, including writing and consuming modules. Familiarity with a TACOS (Scalr, Spacelift, Terraform Cloud, env0) is a plus. 
• Required: hands-on Kubernetes / EKS experience running production workloads — not just kubectl get pods. Comfortable debugging HPAs, ingress controllers, OOMs, scheduling issues, and rolling cluster upgrades. 
• Strong CI/CD experience, ideally with GitHub Actions, including reusable workflows, OIDC-based cloud auth, and image build/push patterns. 
• Comfortable in Python as your primary scripting language, plus enough fluency in at least one other language (Go, TypeScript, Bash, etc.) to read and modify code from the teams you support. 
• Solid understanding of observability — metrics, logs, traces — and what good looks like for SLO-driven services. 
• Security-minded: you understand IAM least privilege, secret hygiene, supply-chain risk, and the difference between checking a compliance box and actually being secure. 
• Excellent problem-solving, written communication, and the ability to mentor and lead by influence rather than title. 

Nice to have 

• Experience with Pomerium, OAuth/OIDC, or other zero-trust access proxies. 
• Experience with Helm chart authoring and release flows. 
• Experience with Grafana OnCall, alerting design, and incident response.
• Experience operating identity systems at scale (Keycloak, Okta, or similar). 
• Bare-metal / on-prem operational experience to complement cloud work. 

How we'll support you

• We believe in fostering an environment that empowers decision-making at all levels. Our culture is rooted in the inverted pyramid approach, where the engineers, who have a deep understanding of the product and the customers, are the ones who have the knowledge and the authority to make impactful decisions. 
• We treat every team member with respect and promote open and constructive feedback, ensuring a culture of trust and transparency. 
• We encourage learning through experimentation and provide a safe space for everyone to learn from their experiences. 
• Our managers are dedicated to facilitating career growth and creating an environment that attracts and supports high-performing engineers.