Senior Security WAF Engineer

Our vision for the future is based on the idea that transforming financial lives starts by giving our people the freedom to transform their own. We have a flexible work environment, and fluid career paths. We not only encourage but celebrate internal mobility. We also recognize the importance of purpose, well-being, and work-life balance. Within Empower and our communities, we work hard to create a welcoming and inclusive environment, and our associates dedicate thousands of hours to volunteering for causes that matter most to them.

Chart your own path and grow your career while helping more customers achieve financial freedom. Empower Yourself.

What you will do:

WAF & Firewall Security Engineering

• Deploy, configure, and optimize WAF policies using Cloudflare WAF, AWS WAF, and Palo Alto Networks firewalls.
• Fine-tune security rules, signatures, and bot mitigation policies to block OWASP Top 10 threats, API abuse, and zero-day vulnerabilities.
• Manage Palo Alto Networks firewalls, including:
  • Threat Prevention, URL Filtering, Application-Based Filtering, SSL Decryption, and Advanced Threat Protection.
  • NGFW policies and rule tuning to block L7 attacks, botnets, and advanced persistent threats (APTs).
  • Logging, alerting, and correlation of firewall events within SIEM
• Integrate WAF and firewall security policies with SIEM (Splunk, ELK) and SOAR solutions for improved threat intelligence sharing and automated response.

Layer 7 Application DDoS Protection & Remediation

• Detect, analyze, and mitigate Layer 7 DDoS attacks, including:
• Slowloris, HTTP Floods, Recursive GET/POST attacks, API abuse, and bot-driven volumetric attacks.
• Malicious bot traffic, headless browsers, and scraping attacks targeting web applications.
• Remediate Layer 7 DDoS attacks by:
• Implementing Palo Alto Auto-Blocking Rules and Cloudflare Advanced Rate Limiting.
• Deploying traffic anomaly detection and automated WAF rule adjustments.
• Enforcing CAPTCHA challenges, JavaScript challenges, and behavioral-based bot detection.
• Geo-blocking malicious IPs and ASN-based filtering for high-risk traffic sources.
• Automate DDoS remediation playbooks using Terraform, Python, and API-based integrations for dynamic WAF/firewall adjustments.
• Perform post-attack forensic analysis to improve future detection and prevention capabilities.

Infrastructure as Code (IaC) & Security Automation

• Automate WAF and firewall rule deployment using Terraform to standardize security enforcement.
• Develop Terraform modules for Cloudflare WAF and Palo Alto Networks firewalls to manage security configurations at scale.
• Integrate security policies with CI/CD pipelines to enforce security best practices in DevSecOps workflows.
• Create self-healing security automation that dynamically adjusts WAF and firewall rules in response to active threats.

Indicators of Compromise (IoC) & Threat Detection

• Analyze IoCs from WAF logs, Palo Alto firewalls, SIEM alerts, and external threat intelligence sources to detect advanced threats.
• Investigate malicious Layer 7 traffic behaviors, API exploitation, bot-driven attacks, and application-layer intrusions.
• Develop and deploy custom security signatures for real-time threat prevention on Cloudflare WAF and Palo Alto Firewalls.
• Correlate IoCs across WAF, firewall, and cloud security tools to build a proactive threat defense model.

Incident Response & Risk Mitigation

• Act as a Tier 3 escalation point for complex WAF, firewall, and Layer 7 DDoS security incidents.
• Implement real-time DDoS mitigation strategies to minimize service disruption and protect critical web applications.
• Work closely with Red Team / Blue Team exercises to validate WAF and firewall security controls against simulated attack scenarios.
• Compliance & Governance
• Ensure WAF and firewall configurations comply with PCI-DSS, NIST 800-53, ISO 27001, GDPR, and CIS security standards.
• Conduct security audits and ensure that all security policies are version-controlled using Terraform and Git.
• Maintain audit logs and security policies as code to support compliance and operational resilience.
• Participate in 24x7 on-call rotation
• Perform related duties as requested

What you will bring:

• 5+ years of experience in WAF security engineering, Layer 7 DDoS mitigation, and network security.
• 5+ years of expertise in Cloudflare WAF, AWS WAF, and Palo Alto Networks firewalls.
• Hands-on experience in Layer 7 DDoS detection, remediation, and real-time security automation.
• Experience with Infrastructure as Code (IaC) using Terraform to automate WAF and firewall security configurations.
• Strong knowledge of Indicators of Compromise (IoC), OWASP Top 10, MITRE ATT&CK, and web security attack vectors.
• Proficiency in Python, PowerShell, Terraform, or APIs for automation and threat response.
• Experience integrating WAF and firewall security with SIEM (Splunk).
• Strong troubleshooting, analytical, and problem-solving skills in web security, application security, and threat mitigation.
• Bachelor’s degree in Computer Science, Information Systems, Software Engineering, Electrical or Electronics Engineering or comparable field of study, and/or equivalent work experience.

What will set you apart:

• Relevant certifications, such as CISSP, GCIA, GCIH, GCED, or similar, are preferred.
• Certified WAF Specialist, Palo Alto PCNSA/PCNSE, AWS Security Specialty, GIAC GWEB, CISSP.
• Familiarity with GraphQL API security, WebSockets, and microservices-based architectures.
• Prior experience in Red Team / Blue Team exercises focused on WAF security, Palo Alto firewall hardening, and DDoS testing.

***Applicants must be authorized to work for any employer in the U.S. We are unable to sponsor or take over sponsorship of an employment visa at this time, including CPT/OPT.***

What we offer you

We offer an array of diverse and inclusive benefits regardless of where you are in your career. We believe that providing our employees with the means to lead healthy balanced lives results in the best possible work performance.

• Medical, dental, vision and life insurance
• Retirement savings – 401(k) plan with generous company matching contributions (up to 6%), financial advisory services, potential company discretionary contribution, and a broad investment lineup
• Tuition reimbursement up to $5,250/year
• Business-casual environment that includes the option to wear jeans
• Generous paid time off upon hire – including a paid time off program plus ten paid company holidays and three floating holidays each calendar year
• Paid volunteer time — 16 hours per calendar year
• Leave of absence programs – including paid parental leave, paid short- and long-term disability, and Family and Medical Leave (FMLA)
• Business Resource Groups (BRGs) - internal networks that rally around common interest, experiences and identities such as race, ethnicity, gender, ability, military status and sexual orientation. BRGs play a vital role in educating and engaging our people and advancing our business priorities.

Base Salary Range

The salary range above shows the typical minimum to maximum base salary range for this position in the location listed. Non-sales positions have the opportunity to participate in a bonus program. Sales positions are eligible for sales incentives, and in some instances a bonus plan, whereby total compensation may far exceed base salary depending on individual performance. Actual compensation offered may vary from posted hiring range based upon geographic location, work experience, education, licensure requirements and/or skill level and will be finalized at the time of offer.

Equal opportunity employer •  Drug-free workplace

We are an equal opportunity employer with a commitment to diversity.  All individuals, regardless of personal characteristics, are encouraged to apply.  All qualified applicants will receive consideration for employment without regard to age (40 and over), race, color, national origin, ancestry, sex, sexual orientation, gender, gender identity, gender expression, marital status, pregnancy, religion, physical or mental disability, military or veteran status, genetic information, or any other status protected by applicable state or local law. 

***For remote and hybrid positions you will be required to provide reliable high-speed internet with a wired connection as well as a place in your home to work with limited disruption. You must have reliable connectivity from an internet service provider that is fiber, cable or DSL internet. Other necessary computer equipment, will be provided. You may be required to work in the office if you do not have an adequate home work environment and the required internet connection.***

Job Posting End Date at 12:01 am on:

Want the latest money news and views shaping how we live, work and play? Sign up for Empower’s free newsletter and check out The Currency.