Senior DevOps Engineer (Product Security) - WHOOP

Job Title: Senior DevOps Engineer (Product Security)
Job Location: Boston, MA
Job Listing URL: https://jobs.lever.co/whoop/90d7932b-de61-4445-9b36-006dbf3a2bab
Job Description: At WHOOP, we're on a mission to unlock human performance. WHOOP empowers members to perform at a higher level through a deeper understanding of their bodies and daily lives. We are looking for motivated engineers to join our team on our mission.

The Software Platform group focuses on building technology that enables rapid user growth worldwide and accelerates product development across our entire software organization, while ensuring stability, security, and compliance. We handle massive amounts of data continuously streaming to the cloud from everyday people to elite athletes. The team builds shared services and custom tooling that enables our developers to deliver value to those customers.

We are looking for a Senior Dev(Sec)Ops Engineer to join our team and take ownership of advancing secure cloud infrastructure and engineering practices across the organization. You’ll collaborate with infrastructure, product and data science teams to drive security governance, infrastructure automation, and secure development practices in a high-scale AWS environment.
RESPONSIBILITIES:
Drive security governance across AWS environments, advocating for and implementing secure-by-default configurations, IAM access controls, and policy-as-code frameworks.
Design and implement infrastructure as code using tools like Terraform and Spacelift to manage cloud infrastructure in a scalable and auditable way.
Collaborate with Data Science, Platform, and Product teams to embed security into the software delivery lifecycle, CI/CD pipelines, and runtime environments
Develop guardrails and monitoring to detect and prevent misconfigurations, insecure defaults, and policy violations.
Implement and manage risk mitigation strategies for cloud infrastructure, including automated backups, disaster recovery planning, and data retention policies to ensure business continuity and data integrity.
Act as a security champion, educating engineers and stakeholders on cloud security principles, secure infrastructure design, and compliance requirements.
Participate in incident response and remediation efforts related to cloud or infrastructure security events.
Support compliance initiatives (e.g., SOC2, GDPR, SaMD) by ensuring infrastructure controls are auditable, testable, and well-documented.
QUALIFICATIONS:
5+ years of experience in DevOps, Site Reliability, or Cloud Engineering roles, with a focus on securing cloud infrastructure.
Expertise in AWS services and architectures, including networking, IAM, EC2, S3, RDS, CloudTrail, Config, IdentityCenter, Organizations and Lambda.
Proven experience with infrastructure as code tools like Terraform (preferred), AWS CDK, or Pulumi in production environments.
Strong foundation in cloud security best practices, including least privilege access, resource isolation, logging/monitoring, and vulnerability management.
Hands-on experience with container orchestration and infrastructure platforms (e.g., Kubernetes, EKS).
Strong scripting or programming skills in languages like Java, Python, Javascript, Go, and/or Bash.
Familiarity with CI/CD pipelines, secrets management, and automated security scanning and monitoring tools (e.g., SAST, CNAPP, SIEM, etc).
Bonus: Experience with modern web hosting technologies, including Cloudflare, CDN management, TLS/SSL certificate handling, and DNS configuration for scalable and secure application delivery.
Bonus: Experience working in environments with SOC2, HIPAA, or GDPR compliance requirements.
ABOUT YOU:
You’re a proactive problem-solver who thrives on ownership and is passionate about raising the security bar.
You prioritize automation in everything you do, continuously seeking opportunities to streamline processes and eliminate manual steps through reliable, scalable tooling.
You enjoy working cross-functionally and can clearly communicate complex security issues to both technical and non-technical stakeholders.
You understand that security is a shared responsibility and believe in building guardrails over roadblocks.
You value quality, reliability, and visibility as much as speed and scale.