Senior Platform Engineer

If you are unable to complete this application due to a disability, contact this employer to ask for an accommodation or an alternative application process.

Full Time

Rekor is hiring a Senior Platform Engineer to absorb growing scale and turn it into durable capability. Our engineering organization has accelerated delivery significantly through AI-assisted development, and we need a platform engineer who can keep pace with that throughput while maintaining the security, change management, and audit controls our SOC 2 posture requires.

This is a hands‑on role on a small, high‑leverage platform team. You will own large parts of our AWS footprint, our CI/CD pipelines (Jenkins, Git Hub Actions, and ArgoCD), our container platforms (EKS and ECS), and the controls that keep all of it auditable. You will partner directly with cloud, ML, embedded, and QA teams across our Scout, Discover, and Command product lines.

• Own and continuously improve our CI/CD platform across Jenkins, Git Hub Actions, and ArgoCD. Build reusable workflows, templated pipelines, and Git Ops delivery patterns so engineers ship through paved paths rather than reinventing them.
• Eliminate platform bottlenecks that slow product teams down. Where engineers are waiting on infrastructure changes, fix the underlying capability so they don’t have to wait next time.
• Build and maintain reusable Terraform, AWS CDK, and Cloud Formation modules so new services come up with the right defaults and don’t require platform involvement on every change.
• Provide self‑service patterns for common needs: new services, queues, databases, edge ingestion, ML inference, and async workers.

• Treat the pipeline as the safety net. Wire SAST, secret scanning, IaC policy checks (Checkov, tfsec, OPA), dependency scanning, and license compliance into CI as non‑negotiable gates.
• Build supply chain controls into the platform: signed artifacts, SBOM generation, and provenance tracking that hold up under audit.
• Catch the predictable failure modes of AI‑generated code (hardcoded secrets, over‑permissioned IAM, misconfigured storage, vulnerable dependencies) automatically, before they reach production.
• Make the secure path the easy path. If a control requires engineers to remember it, it will eventually be skipped.
• Treat SOC 2 evidence as a continuous output of the platform, not a once‑a‑year scramble. Change approvals, access reviews, deployment logs, and configuration history should all be queryable on demand.
• Codify access management with least‑privilege defaults across AWS accounts, Kubernetes, and CI/CD systems. Drive periodic access reviews through automation.
• Maintain documented change management workflows that satisfy auditor requirements without slowing engineers down.
• Own secrets management end‑to‑end: rotation, scoping, audit trails, and remediation paths.
• Partner with Security and Compliance on annual audit cycles. Provide evidence on demand and close findings before they become repeat findings.

• Architect and maintain AWS infrastructure across our multi‑account organization (Scout, Shared, Command, Discover, IT, Finance) with clear isolation, cost attribution, and blast‑radius control.
• Operate EKS and ECS as production‑grade platforms, including upgrades, autoscaling, and platform‑level security policies.
• Drive cost efficiency through right‑sizing, reserved capacity strategy, autoscaling and scheduled scaling policies, and architectural choices. Implement cost monitoring and budget alerts that surface anomalies early, and make cost data visible to the teams that can act on it.
• Own observability defaults across Cloud Watch and our broader telemetry stack so product teams get metrics, structured logs, and traces without per‑service work. Cloud‑native instrumentation should be a paved path, not a project.
• Design and maintain alerting in Pager Duty so on‑call engineers get paged only on actionable, relevant signals. Drive down alert fatigue, tune thresholds with the teams that own the services, and keep every paging alert tied to a runbook and a clear owner.