Founding Lead Security Architect

Full-time  ·  Contract-to-hire from Month 1  ·  Remote (US time zones, with quarterly Houston visits)  ·  $185,000 base.

About Acrivault

Acrivault is an early-stage cybersecurity SaaS company headquartered in Houston, Texas. We are building the AI-Native Non-Human Identity (NHI) Security Platform purpose-designed for mid-market technology, financial services, healthcare, and defense companies. Our architecture ships AI-native from the foundation: agent session replay, an AI Bill of Materials lineage graph, sub-millisecond prompt-injection detection, and SPIFFE-based workload attestation, all enforced within a 4.5-millisecond p99 authorization budget. We are at the founding stage and hiring the team that will define the company for the next decade.

The role

We are hiring our Founding Lead Security Architect — the single technical authority for Acrivault’s platform architecture. You will own the v2 reference architecture end-to-end across eight tiers, twenty microservices, seven data stores, and five engineering pillars (Discovery, Governance, Identity Firewall, Lifecycle, AI Intelligence). You will hand the specifications to a Backend Engineer and a Frontend Engineer to build, and you will sign off on every milestone before payment is released.

This is a hands-on architect role, not a director role. You will write the architecture documents, design the data models, specify the OpenAPI contracts, define the SPIFFE/SPIRE workload-identity issuance, design the 4.5 ms p99 authorization path, and shape the polyglot data layer, including the vector store powering injection-detect and the AI-BOM lineage graph. You will also write significant production code in the first six months — particularly in the Identity Firewall hot path (PDP, attestation-svc, injection-detect) and the AI Intelligence pillar (agent-session-svc, ai-bom-service, replay-api).

What you’ll build

  • The full AI-Native reference architecture: eight tiers (Customer Environment, Edge & Ingress, Unified Control Plane, Discovery, Governance, Identity Firewall, AI Intelligence, Lifecycle, Data Layer, Security & Infrastructure Foundation, Compliance & Residency).
  • The Identity Firewall hot path: PDP (stateless Go service, 3-AZ replicated, 99.99% SLA), attestation-svc (SPIFFE/SPIRE workload identity verification), injection-detect (sub-millisecond prompt-injection enricher running Llama Guard plus heuristics), all inside a 4.5 ms p99 envelope.
  • The AI Intelligence pillar (new in v2): agent-session-svc capturing every AI agent session as a replay able timeline in Click House, ai-bom-service maintaining the AI Bill of Materials lineage graph in Neo4j, replay-api powering the dashboard timeline viewer.
  • The Tier 8 Compliance & Residency primitives that make Day-1 NIST CSF 2.0 plus HIPAA-readiness real: PHI/PII Classifier, Residency Router, Evidence Collector, Immutable Audit Trail.
  • The fourteen architectural deliverables that the rest of the engineering team builds against: System Architecture Diagram, Database Schema, Terraform IaC, OpenAPI Specification, Security Architecture Document, Technology Decision Record, Multi-Tenant Onboarding Flow, Capacity Planning Document, Canonical Event Schema, SIEM Connector Plugin Framework, PDP/PEP Reference Architecture, Behavioral Feature Specification, Modularity Contract, Architecture Walkthrough Recording.

What you’ll do in your first six months

  • Months 1-2: deliver the System Architecture Diagram, Database Schema, and OpenAPI Specification. Hand the Backend Engineer everything they need to start building. Establish the engineering operating cadence with the TPM.
  • Months 3-4: deliver the Terraform IaC, the Security Architecture Document, the Technology Decision Record, and the Canonical Event Schema. Write production code for the PDP and attestation-svc. Ship the first end-to-end Discovery wave for design-partner validation.
  • Months 5-6: deliver the SIEM Connector Plugin Framework, the Behavioral Feature Specification, and the Modularity Contract. Ship the Identity Firewall hot path to design partners. Pass the SOC 2 Type 1 audit at Month 6.

Required qualifications

  • 10+ years of software architecture experience, with at least 5 years designing distributed systems at scale in cybersecurity, cloud infrastructure, identity, or developer-tooling SaaS.
  • Direct experience with one or more of: XACML-pattern policy engines (OPA, Cedar, AuthZed/SpiceDB), SPIFFE/SPIRE workload identity, PDP/PEP reference architectures, sub-10-ms p99 authorization paths.
  • Production experience with multi-tenant SaaS at scale: schema-per-tenant or row-level-security PostgreSQL, multi-region deployment, polyglot persistence (relational + graph + time-series + cache + object store).
  • Strong production code in Go (primary platform language for the Identity Firewall hot path), Python (AI Intelligence pillar, scoring engine), and both. TypeScript exposure is a plus for control-plane services.
  • Direct experience designing for SOC 2, ISO 27001, HIPAA, PCI-DSS, or HITRUST compliance. You have sat across from an auditor. You know what “evidence in scope” means.
  • Excellent written communication. You will write architecture documents that the entire engineering team builds against. Clarity and concision matter as much as technical depth.

Strongly preferred

  • Experience with the modern AI agent surface: LangChain, CrewAI, AutoGen, Anthropic Computer Use, MCP servers, Bedrock, Vertex AI, HuggingFace.
  • Familiarity with the NHI security category and competitors: Astrix (acquired by Cisco), Aembit, Entro, Oasis, Clutch, Token Security, P0 Security, SGNL (acquired by CrowdStrike).
  • Prior founding-stage experience at a Seed or Series A cybersecurity SaaS company.
  • Speaking experience at security conferences (RSA, Black Hat, Defcon, KubeCon, BSides, Identiverse) — not required, but signals category authority that helps with hiring and design partners.

Compensation and structure

  • From month 1: $165,000- $175,000 annual base salary, full-time W-2 employee.
  • Full health, dental, and vision benefits. Unlimited PTO with 20-day minimum. $3,000 annual professional development budget. Quarterly Houston visit travel reimbursed.

How to apply

Send a single email to the application address on this posting. Include: (1) a one-page resume or LinkedIn URL, (2) one architecture document you have authored (open-source design doc, RFC, ADR, or a written sample under NDA-with-redaction is fine), (3) a one-paragraph answer to the question “what is the most under-appreciated trade-off in sub-10-ms-p99 authorization architecture?” — the question is the first interview signal.