Join Our Team in Securing the Future — One Identity at a Time

Forward Deployed Engineer

  • Full-time
  • Remote
Submit Application

If you are a California resident, by submitting your application, you agree that your personal data is subject to Defakto’s Applicant Privacy Notice.

About Defakto

Defakto is building the first complete Non-Human Identity (NHI) and Access Management platform. Non-human identities (services, machines, CI/CD pipelines, and now AI agents) already outnumber human ones by an order of magnitude, and almost all of them authenticate with static credentials and overprivileged service accounts that nobody discovers, rotates, or governs. That is the problem we exist to solve: give every non-human actor a real, dynamic, cryptographically verifiable identity instead of a shared secret.

We raised a $30.75M Series B in late 2025 (led by XYZ Venture Capital, with The General Partnership, Bloomberg Beta, WndrCo, and J.P. Morgan), bringing total funding to roughly $50M. As enterprises race into the agentic era, every new AI agent is one more non-human identity that needs to be issued, scoped, and audited, which is exactly why NHI has become a board-level security problem and why we exist to solve it.

The role

When a customer puts Defakto in front of their non-human identity problem, you’re the engineer who makes it real in their environment. Our customers are Fortune 50 to Global 2000 enterprises, collectively running billions of workloads spread across the planet. These applications run in their own data centers and across multiple cloud providers. The environments include Kubernetes, serverless compute, Linux, Windows, and mainframe OSes built decades ago. All need a coherent, interoperable identity. Our platform sits at the center of how an organization assigns, discovers, and governs non-human identity.

Our customers balance security, interoperability, ease of use, and compliance in high-volume production systems that cannot break. You’ll own those complex deployments end to end. You’ll sit across the table from skeptical security teams and platform engineers who have seen a dozen tools overpromise, and you’ll earn their trust by being the person in the room who understands NHI, the workload-identity primitives underneath it (SPIFFE, PKI, OAuth), and their infrastructure better than they expect.

The Defakto platform has to land cleanly in a customer’s existing world, so a large part of the job is integration: Federating into cloud IAM and authorization services, plugging into the standards customers already speak, bridging to Active Directory, and migrating workloads off the static secrets and API keys they rely on today without breaking the things that depend on them.

You write production code when the path forward depends on it. You take what you learn in the field and push it back into the product. You are the first and last line of technical defense.

This is not a demo-and-handoff role. You own the outcome.

What you’ll own

  • Enterprise deployments of the Defakto platform, end to end: scoping, trust-domain and attestation design, integration, and production rollout across on-prem, multi-cloud, and hybrid environments.
  • Stand up the full platform in customer environments, wiring Mint, Ship, Ledger, Trim, and Mind into real workloads, pipelines, and AI agents, so that they can be operated without you.
  • Earn technical trust. You can explain an identity architecture decision to a CISO and a Kubernetes platform lead in the same meeting, and be right.
  • Diagnose distributed-systems problems, where the answer is buried in network topology, mTLS handshakes, attestation flows, and not always in an obvious log message.
  • Write and ship production code. Build the integrations, tooling, and open-source libraries that make deployments repeatable, and contribute fixes and features directly to the core platform.
  • Codify the field into the product. Solve every deployment problem with a reusable pattern, a tool, or a product enhancement, and carry it back to engineering with the evidence to make the case.
  • Produce the technical artifacts that scale you: Architectures, runbooks, reference implementations, and deep-dive sessions for engineering teams and executives.

What we need

  • Relentless curiosity about the customer: You are constantly asking about the business problems they’re trying to solve, and seeking to understand their technical constraints.
  • 5+ years deploying and operating enterprise infrastructure software
  • Production-grade coding ability. You’re either fluent in Go or can learn it quickly, and you know how to use Python/Bash for the connective tissue. You can own and maintain a  codebase, not just script around the edges.
  • Hands-on identity and security fundamentals: How machines and services authenticate, PKI and certificate lifecycle, secret management, and you’ve mastered at least one workload identity or IAM system. You understand why policies are modeled the way they are. You can reason about the NHI problem above any single protocol.
  • Production Kubernetes: Deploying, operating, and debugging real workloads beyond kubectl apply.
  • Linux administration and troubleshooting in production, under pressure.
  • At least one major cloud (AWS, Azure, or GCP) in depth, including secure-by-default IAM, networking, and secret management.
  • Identity federation and integration fluency: You can make one identity system trust another. You have worked hands-on with the standards customers actually run (OIDC, OAuth, mTLS, SAML), federating into cloud IAM and authorization services, integrating with Active Directory, and migrating workloads off static secrets and API keys without an outage.
  • Proven technical writing and presentation skills. You can make architecture clear to engineers and credible to executives.

What sets you apart

  • Hands-on SPIFFE/SPIRE experience in production: Running it, not just reading the spec.
  • Go experience in a security context: You’ve built or maintained something where it mattered to get the security and cryptography right.
  • CI/CD security: The credential/secrets problems that live inside pipelines (e.g. GitHub Actions, Jenkins, BuildKite).
  • Service mesh: Istio, Linkerd, and the failure modes that come with them.
  • Agentic AI / LLM identity: You’ve thought about how AI agents authenticate, what they’re allowed to do, and how you’d prove it after the fact.
  • Container security and identity-systems depth: Beyond the basics.
  • Heterogeneous, enterprise experience: You’ve worked across legacy systems (mainframes, long-lived on-prem infrastructure) and modern cloud-native stacks, and you’re comfortable designing for environments with hundreds of thousands of workloads.
  • Experience in regulated environments like finance, healthcare, or government, and comfort with the audit, compliance, and “prove it” conversations that come with them.

Travel and logistics

This role is customer-facing and hands-on, including onsite time. Expect 25-30% travel, including international trips of 1-2 weeks at a time