Caruso is the AI-native investor management and fund administration platform for private markets. More than 500 funds rely on Caruso to help manage over $50B in assets across 40,000 investors.
Since launching almost three years ago, Caruso has grown to $50B+ in assets, 500+ funds, and 75,000+ investors on the platform. We're growing 4× year-on-year, backed by committed investors, and expanding fast across Australasia and the United States.
We're hiring a Cloud Security Engineer, the first role of it's kind in the company.
You will manage cloud security across Caruso's AWS-hosted infrastructure: protecting a platform that manages over $50B in assets for fund managers and their investors. Working closely with the CTO and engineering team, you'll harden our AWS environments, ensure our ISO 27001:2022 ISMS controls remain effective, and embed security deeply into our development and release workflows. This is a high-ownership, high-trust role with real scope to shape how security is done at a fast-scaling fintech.
Multi-account AWS organisation (us-west-2 and ap-southeast-2) with strict environment separation across dev, staging, and production
Amazon ECS Fargate: containerised Go microservices communicating over gRPC/Protobuf behind Cloudflare WAF
Aurora MySQL (multi-AZ, three-instance clusters), RDS Proxy, DynamoDB, S3, Kinesis, Lambda, SQS
VPC-isolated private subnets; production DB access via Tailscale + SSH bastion (engineering leads only)
Terraform (IaC) on Terraform Cloud; GitHub Actions CI/CD; Docker image pipeline through AWS ECR
Consul for service discovery; Datadog + CloudWatch for observability; CloudTrail + Control Tower for audit
AI services (Python) operating within VPC, multi-provider (Anthropic, OpenAI, Gemini), Turbopuffer vector DB, Guardrail Agent
Third-party integrations: Onfido (KYC), Cloudcheck (identity), Twilio, SendGrid, Segment
AWS: IAM, SCP, GuardDuty, Security Hub, CloudTrail, Control Tower, VPC, WAF, ACM
Infrastructure as Code: Terraform, GitHub Actions, Docker
Observability: Datadog, CloudWatch, CloudTrail
Zero-trust networking: Tailscale, Cloudflare
Programming context: Go (backend), Python (AI services), Next.js/Vercel (frontend)
Compliance: ISO 27001:2022, SOC 2 Type II, AUSTRAC AML/CTF, ASIC
Linear.app (Jira is officially banned)
Real scale and real complexity
High-end agentic tooling and frontier model access
Strong engineering team and real ownership
Premium office in Viaduct Harbour
MacBook Pro, dual screens, Apple peripherals, and AirPods Pro
Southern Cross health insurance
Extended parental leave and unlimited sick leave
Right to work in New Zealand
3+ years of hands-on cloud security experience, with deep AWS expertise
Strong working knowledge of AWS IAM, SCP, GuardDuty, Security Hub, VPC security design, and CloudTrail
Demonstrable experience embedding security tooling (SAST, container scanning, secrets detection) into CI/CD pipelines
Familiarity with ISO 27001 or SOC 2: either implementing controls or operating within a certified environment
Ability to review infrastructure-as-code (Terraform) and identify misconfigurations
Comfortable operating in a fast-moving product engineering team — pragmatic, not compliance-theatre
Bachelor degree or equivalent in Computer Science, Information Systems, Cybersecurity, or a related field
Comprehensive health insurance with Southern Cross.
Premium office space with luxury fit-out and water views, within close proximity to Auckland's best bars and cafes.
New workstation package including MacBook Pro, dual screens, Apple peripherals, AirPods Pro noise-cancelling headphones.
5 weeks annual leave after 2 years tenure, 6 weeks after 3 years tenure.
Unlimited sick leave.
Generously extended maternity/paternity leave.