Auckland, New Zealand · Full-time
Caruso is the AI-native fund administration platform for private markets. We replace legacy systems with modern software and integrated services; helping fund managers save time, impress investors, and grow AUM.
Since launching just over two years ago, Caruso has grown to $50B+ in assets, 500+ funds, and 75,000+ investors on the platform. We're growing 4× year-on-year, backed by committed investors, and expanding fast across Australasia and the United States.
Learn more at getcaruso.com.
Role summary
You will own cloud security across Caruso's AWS-hosted infrastructure: protecting a platform that manages over $50B in assets for fund managers and their investors. Working closely with the CTO and engineering team, you'll harden our AWS environments, ensure our ISO 27001:2022 ISMS controls remain effective, and embed security deeply into our development and release workflows. This is a high-ownership, high-trust role with real scope to shape how security is done at a fast-scaling fintech.
Infrastructure you'll secure
- Multi-account AWS organisation (us-west-2 and ap-southeast-2) with strict environment separation across dev, staging, and production
- Amazon ECS Fargate: containerised Go microservices communicating over gRPC/Protobuf behind Cloudflare WAF
- Aurora MySQL (multi-AZ, three-instance clusters), RDS Proxy, DynamoDB, S3, Kinesis, Lambda, SQS
- VPC-isolated private subnets; production DB access via Tailscale + SSH bastion (engineering leads only)
- Terraform (IaC) on Terraform Cloud; GitHub Actions CI/CD; Docker image pipeline through AWS ECR
- Consul for service discovery; Datadog + CloudWatch for observability; CloudTrail + Control Tower for audit
- AI services (Python) operating within VPC, multi-provider (Anthropic, OpenAI, Gemini), Turbopuffer vector DB, Guardrail Agent
- Third-party integrations: Onfido (KYC), Cloudcheck (identity), Twilio, SendGrid, Segment
You might work on
- Continuous hardening of our AWS environment: IAM least-privilege, SCP policies, Security Hub findings, GuardDuty tuning
- Reviewing and improving our Cloudflare WAF rules, rate limiting, ASN/geo-blocking posture, and DDoS response playbooks
- Embedding security scanning (SAST, DAST, dependency audits, container image scanning) into our GitHub Actions CI/CD pipeline