Founding Backend Engineer

Four-month contract (Months 2–5)  ·  Converts to full-time at the end of Month 4 upon successful contract completion ·  Remote (US time zones)  ·  $70/hour during contract phase.

About Acrivault

Acrivault is an early-stage cybersecurity SaaS company headquartered in Houston, Texas. We are building the AI-Native Non-Human Identity (NHI) Security Platform purpose-designed for mid-market technology, financial services, healthcare, and defense companies. Our architecture ships AI-native from the foundation: agent session replay, an AI Bill of Materials lineage graph, sub-millisecond prompt-injection detection, and SPIFFE-based workload attestation, all enforced within a 4.5-millisecond p99 authorization budget. We are at the founding stage and hiring the team that will define the company for the next decade.

About this role

We are hiring our Founding Backend Engineer — the second engineering hire after the Founding Lead Security Architect- and the engineer will turn the architect’s specifications into production code. You will start as a four-month contract from Month 2 through the end of Month 5 and convert to full-time at the end of Month 4 upon successful contract completion. The conversion decision is made in Week 14 of the contract; full-time start is Week 17 (the beginning of Month 5).

You will build the platform’s control-plane services, the Discovery pillar (discover-svc, scan-worker, identity-graph-service), and significant portions of the Identity Firewall hot path. You will work directly with the Lead Security Architect, who hands you specifications, OpenAPI contracts, and architecture decision records — your job is to translate those into shipped production code that passes the architect’s seven evaluation criteria and the 4.5 ms p99 SLO.

What you’ll build

  • Control-plane services: api-gateway, auth-service (SSO, SAML, MFA, JWT, RBAC, SCIM), tenant-service (multi-tenant onboarding, wave feature flags), billing-service (Stripe integration, per-tier metering), notification-service, reporting-service.
  • Discovery pillar (Wave 1): discover-svc (scan orchestrator with SQS dispatch), scan-worker (500 concurrent workers using boto3/GCP/Azure SDKs plus Bedrock/Vertex/OpenAI for AI model discovery), identity-graph-service (the source-of-truth identity graph in Neo4j, plus the AI-BOM schema).
  • Identity Firewall hot path (Wave 3) in close partnership with the architect: portions of the PDP (stateless Go service, OPA-compiled policy bundles), the PIP cache (Redis-backed sub-millisecond attribute lookup), portions of injection-detect (Llama Guard plus heuristic enricher).
  • The first three customer-side PEP form factors: the language SDK (Go and Python), the Envoy filter, and the gRPC sidecar.
  • Integration with the polyglot data layer: PostgreSQL 15+ (relational, schema-per-tenant, RLS), Neo4j Aura (identity graph plus AI-BOM lineage), ClickHouse (time-series telemetry plus AI session events), Redis 7+ (PIP cache plus sessions), S3 (audit log with object-lock plus WORM), Elasticsearch (full-text search), and the new vector store (pgvector or OpenSearch k-NN).

Required qualifications

  • 5+ years of production backend engineering, with strong fluency in Go (primary) and Python (secondary). Production experience in TypeScript is a plus.
  • Direct production experience building multi-tenant SaaS at scale: tenant isolation patterns (schema-per-tenant, RLS, hybrid), per-tenant rate-limiting, per-tenant data residency.
  • Experience building sub-50-ms p99 services. You understand pprof profiling, escape analysis, allocation control, GC tuning, and the difference between a fast-path and a slow-path in a hot service.
  • Production experience with at least three of: PostgreSQL 15+, Neo4j or another graph database, ClickHouse or another columnar store, Redis at cluster scale, Kafka or another event bus, OpenAPI 3.0 contract-first development, AWS SDK for cloud-resource enumeration.
  • Comfort with Kubernetes (EKS in production), Istio mTLS service mesh, ArgoCD GitOps deployment, and OpenTelemetry observability.
  • Strong written communication. You will read architecture documents and write design notes back to the architect for review.

Strongly preferred

  • Production experience with OPA (Open Policy Agent), Cedar, or another XACML-pattern policy engine.
  • Familiarity with SPIFFE/SPIRE workload identity, the SVID issuance flow, and the federated trust model.
  • Experience integrating with AI agent frameworks: LangChain, CrewAI, AutoGen, MCP servers, Bedrock, Vertex AI, OpenAI Assistants API.
  • Prior cybersecurity SaaS engineering experience, especially in NHI security, IAM, PAM, or cloud security posture management (CSPM).
  • Open-source contributions to relevant projects (OPA, SPIRE, Envoy, Istio, Kubernetes, Terraform, popular AI agent frameworks).

Compensation and structure

  • $65/hour, full-time engagement (35-40 hours per week), 1099 status.
  • Month 4 conversion decision in Week 14: founder and architect jointly make a written conversion decision against three criteria (shipped code quality 40%, system design judgment 35%, team collaboration 25%). A composite score of 4.0/5 or higher converts to full-time at Week 17.
  • Month 5 full-time conversion: $165,000 annual base salary, full-time W-2 employee.
  • Equity: 0.40-0.50% (8,000-10,000 shares of a 2,000,000-share cap table), four-year vesting with credit backdated to the Month 2 contract start date.
  • Full health, dental, and vision benefits. Unlimited PTO with 20-day minimum. $3,000 annual professional development budget. $1,500 home-office stipend. Company-issued MacBook Pro through Electric.ai from Day 1 of the contract.
THE CONVERSION MECHANIC

Unlike most contract-to-hire arrangements, the Backend Engineer’s conversion decision is made in Week 14 of the contract — six weeks before the contract ends. The architect and founder jointly score the engineer against three documented criteria. If the score is 4.0/5 or higher, the conversion offer goes out the same week with a Week 17 full-time start. If the score is below 4.0, the contract runs to its natural Month 5 end with a closing bonus and a professional reference. This mechanic gives the strongest candidates certainty before they accept competing offers and gives the company an early-termination option if the engineer is not the right fit.

How to apply

Send a single email to the application address on this posting. Include: (1) a one-page resume or LinkedIn URL, (2) a GitHub profile URL plus one public repository you are proud of (or, if all your work is closed-source, a short paragraph describing one production service you built — what it did, how you designed it, what trade-offs you made), (3) a one-paragraph answer to the question “how would you approach a 4.5 ms p99 budget for a stateless authorization service replicated across three AZs?” — the question is the first interview signal.