SecOps Engineer

Role Overview

As a SecOps Engineer at Libra, you’ll lead the design, automation, and operation of security controls across our products and infrastructure trusted by top law firms and legal teams across Europe. You’ll secure internal and external traffic, identities, and data end‑to‑end building robust, observable, and compliant systems that enable fast, safe delivery through least‑privilege access, strong encryption, and continuous monitoring.

This is a high‑impact role for engineers who thrive at the intersection of detection, response, and platform engineering. You’ll work at the Merantix AI Campus in Berlin, partnering closely with our AI, Product and DevOps teams to own network and perimeter security, security reviews for changes and third‑party integrations, ensuring Libra’s security posture scales with our customer base.

What You Will Do:

• Own end-to-end security for internal and external traffic across Open Telekom Cloud (OTC) and Microsoft Azure, including network segmentation, mTLS, WAF, and IDS/IPS.
• Define and operate IAM and RBAC: role design, SSO/SCIM provisioning, least-privilege policies, and periodic access reviews across cloud, SaaS, and internal systems.
• Govern access to sensitive data and operational databases with policy-based controls, approval workflows, data masking, and query auditing.
• Implement and manage secrets and key management (e.g., vaulting, KMS/HSM), including rotation, revocation, and encryption standards.
• Build and operate audit logging and SIEM pipelines: log collection, correlation rules, alert tuning, dashboards, and on-call runbooks.
• Lead incident response readiness and execution: playbooks, tabletop exercises, forensics coordination, post-incident reviews, and continuous improvement.
• Drive vulnerability and patch management: integrate SCA/SAST/DAST into CI/CD, container/OS hardening, and remediation tracking.
• Secure endpoints, containers, and runtime systems using EDR, admission policies, baseline configurations, and sandboxing.
• Conduct security reviews and threat modeling for architecture changes, releases, and third-party integrations; ensure secure-by-default guardrails.
• Partner with DevOps and engineering to embed security controls into Terraform/Ansible, CI/CD pipelines, and the SDLC.
• Champion a security-first culture through clear standards, training, and pragmatic guidance.

What You Bring:

• Strong experience operating security controls in cloud environments, ideally Open Telekom Cloud (OTC) or OpenStack.
• Deep knowledge of IAM/RBAC, SSO/SCIM, and least-privilege access design.
• Proficiency in network and perimeter security (TLS/mTLS, WAF, IDS/IPS, VPN/Zero Trust).
• Hands-on experience with secrets and key management (Vault, KMS/HSM) and encryption best practices.
• Experience building and tuning SIEM, EDR, and log pipelines; strong detection engineering and incident response skills.
• Familiarity with vulnerability management and CI/CD security (SCA/SAST/DAST, container scanning) and system hardening (e.g., CIS benchmarks).
• Solid understanding of European data protection and security compliance (e.g., GDPR, ISO 27001/SOC 2) and how to operationalize controls.
• Excellent communication skills in English; German is a plus.
• Entrepreneurial mindset with a strong sense of urgency; self-starter who works independently while aligning to team goals.

What we offer:

• Permanent employment from day one.
• Remote work & flexibility: Work remotely up to 3 days per week (home office) (= 8 days a month in the office) with flexible working hours.
• Work abroad flexibly: Work from anywhere within the EU for up to 20 days within a twelve-month period.
• Rest & time off: 26 vacation days.
• Show your commitment: 1 additional day off per year for your volunteer work (Volunteer Day).
• Support for development: E-learning via LinkedIn, online language training with goFluent, and other training and development opportunities.

Our Interview Practices

To maintain a fair and genuine hiring process, we kindly ask that all candidates participate in interviews without the assistance of AI tools or external prompts. Our interview process is designed to assess your individual skills, experiences, and communication style. We value authenticity and want to ensure we’re getting to know you—not a digital assistant. To help maintain this integrity, we ask to remove virtual backgrounds and include in-person interviews in our hiring process. Please note that use of AI-generated responses or third-party support during interviews will be grounds for disqualification from the recruitment process.

Applicants may be required to appear onsite at a Wolters Kluwer office as part of the recruitment process.

Key skills/competency

• Cloud Security (Open Telekom Cloud, Azure)
• IAM/RBAC & SSO/SCIM
• Network and Perimeter Security (mTLS, WAF, IDS/IPS)
• Secrets & Key Management (Vault, KMS/HSM)
• SIEM & Detection Engineering
• Incident Response & Forensics
• Vulnerability Management (SCA/SAST/DAST)
• System Hardening (e.g., CIS benchmarks)
• Security Compliance (GDPR, ISO 27001/SOC 2)
• Security Automation (Terraform/Ansible)