Senior Infrastructure Security Engineer at MatterLabs

About Matter Labs

Matter Labs develops private settlement infrastructure that enables regulated institutions to settle directly with each other without exposing sensitive data, relinquishing control, or enduring lengthy delays. Global finance processes $4 quadrillion annually on systems often designed for legacy methods, and these institutions, from DTCC to NYSE and major banks, are actively seeking modern replacements. We are building the next generation of these systems.

Our flagship product, Prividium, provides each institution with its own private settlement environment, a 'Prividium Zone.' This zone features independent governance and built-in interoperability across various counterparties, asset classes, and jurisdictions. Settlement is achieved through zero-knowledge proofs, allowing one party to validate a transaction without revealing any underlying data to the counterparty. We are the only private settlement infrastructure built on zero-knowledge cryptography.

Founded in 2018 and backed by prominent investors like a16z and Union Square Ventures, Matter Labs operates as a fully remote team of approximately 90 professionals. With eight years of experience in production zero-knowledge infrastructure, we are now tackling the most significant challenges in institutional finance.

About the Role

Join Matter Labs as a Senior Infrastructure Security Engineer and play a key role in securing the corporate and production infrastructure that powers ZKsync. You will take ownership of defenses across identity, endpoint, and detection-and-response systems. Collaborating closely with IT Ops, DevOps, Protocol Security, and Engineering teams, you will embed security as a fundamental aspect of our operations, rather than a mere checkpoint.

This position is ideal for an individual who prefers building robust detections over merely triaging alerts and is driven by the mission of protecting open-source, decentralized infrastructure. Matter Labs maintains a lean, high-leverage security organization; you won't be just one of many engineers. You will own the corporate detection-and-response stack and have direct access to the team building ZKsync. This work is impactful, as this infrastructure safeguards an open-source ecosystem, its contributing team, and a substantial amount of value transacting on Ethereum L2.

Key Responsibilities

• Identity & Collaboration Security: Own the security configuration of our identity and collaboration stack, including identity and access policies, third-party app governance, Data Loss Prevention (DLP), context-aware access, and admin audit. Drive least-privilege principles and phishing-resistant Multi-Factor Authentication (MFA) across the organization.
• Detection & Response: Build, tune, and maintain detection systems. Design effective response playbooks for high-signal alerts, integrate new log sources, and manage the detection-as-code pipeline. Focus on reducing Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) during actual incidents.
• Cloud & Infrastructure Security: Strengthen our cloud infrastructure, Kubernetes clusters, and Continuous Integration/Continuous Delivery (CI/CD) pipelines. Review Infrastructure as Code (IaC) for security vulnerabilities, implement preventative guardrails, and partner with DevOps on secrets management and supply-chain controls.
• Endpoint Security: Manage the security posture of the endpoint estate, including Mobile Device Management (MDM) configuration, baseline hardening, Endpoint Detection and Response (EDR) tuning, and endpoint telemetry. Ensure security controls are effective without negatively impacting engineer productivity.
• Incident Response: Lead and participate in end-to-end security incident investigations, covering containment, forensics, root cause analysis, remediation, and post-mortem reviews. Continuously improve runbooks and detection capabilities after every incident.
• Secure Systems Design: Conduct threat models and architecture reviews for new internal systems and infrastructure changes. Translate findings into concrete, prioritized tasks rather than just lists of concerns.
• Cross-Team Collaboration: Work effectively with Protocol Security, DevOps, IT Ops, and Product Engineering teams. Raise risks constructively, communicate clearly, and influence without needing direct ownership of every system.

What We're Looking For

Must Have

• 5+ years of hands-on infrastructure or detection-and-response security experience.
• Production experience securing a cloud-based identity and collaboration platform at scale, beyond default settings. You should be able to discuss specific policies implemented, third-party app governance managed, and incidents handled.
• Hands-on experience with modern SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response) tools: including writing detections, onboarding log sources, building response playbooks, and tuning to minimize false positives.
• Strong cloud security background, encompassing Identity and Access Management (IAM), network controls, workload identity, and organization-level guardrails.
• Practical experience securing a macOS-dominant endpoint fleet: including MDM, endpoint hardening baselines, and EDR. Comfort in analyzing Mac-specific attack paths and telemetry.
• Familiarity with Infrastructure as Code, secrets management, and security automation.
• Demonstrable incident response experience, including being on-call for security and leading investigations to conclusion.
• Clear, constructive technical communication skills for both engineering and non-engineering stakeholders.

Nice to Have

• Blockchain / Web3 Exposure: Familiarity with the security considerations of decentralized infrastructure, validator/sequencer operations, key management for on-chain systems, or hot/cold wallet operations. A background in Ethereum, Solidity, or ZK-related technologies is a bonus.
• Compliance Framework Experience: Experience with SOC 2 and ISO 27001. This includes helping a security team build or maintain controls under one or both frameworks, engaging in evidence collection, control design, working with auditors, and mapping technical safeguards to control criteria. Ability to translate compliance requirements into practical engineering work without letting compliance dictate engineering decisions.
• Kubernetes Security: Knowledge of admission control, runtime detection, and supply chain security within Kubernetes.
• Detection Engineering as Code: Experience with Git-based rule management, CI for detections, and purple-team validation.
• Lean Security Team Experience: Prior experience in small security teams where you owned a domain end-to-end rather than a narrow specialization.

Work Model & Pay

• Remote-first: Work from anywhere you are most effective, with optional travel for team or industry events. Ideally, candidates should be located in East Coast or European time zones.
• Freedom & Ownership Culture: We operate with no time tracking and minimal bureaucracy; only results matter. For more details on our work culture, please consult our Team Handbook.

Matter Labs is committed to building a diverse team of highly intelligent, passionate, curious, and creative individuals. We believe that a dynamic team with varied perspectives is essential to developing our exceptional product. We take great pride in being an equal opportunity employer.