Cloud Security Researcher

About Us

We're building the future of cloud security- not another dashboard that tells you what's wrong, but a platform that actually fixes it.

Act Security helps organizations understand who and what can access their cloud resources, and gives them the tools to enforce precise, zero-trust policies- without breaking things. We map access paths across cloud environments, surface real risk, and enable teams to act on it safely. As AI becomes embedded in every digital asset, the attack surface is expanding- and we're building the infrastructure to secure it.

We're early-stage, well-funded and growing fast. If you want to build something meaningful from the ground up and see your work ship to production within days- this is the place.

Our Culture

We live by three values: Win, Learn, Have Fun. We play to win- we set ambitious goals and hold ourselves to high standards. We learn constantly- from customers, from each other, and from our mistakes. And we have fun doing it: we believe great work happens when people enjoy working together.

About The Role

We're looking for a Cloud Security Researcher to join our Research team and drive the technical core of our platform: understanding how access really works- and really breaks- across AWS, Azure, GCP, and the cloud-adjacent technologies built on top of them.

This is curiosity-driven security research. You'll dig into how cloud providers actually behave, uncover the implicit and undocumented mechanics that create real risk, find non-obvious access paths and privilege-escalation routes, and turn those findings into the detection logic, policies, and product capabilities our customers rely on. Your research won't sit in a slide deck- it ships.

What You'll Do

• Research how identity and network access work across AWS, Azure, and GCP- IAM, trust policies, SCPs/RCPs, permission boundaries, RBAC, VNet peering, Private Link, service endpoints, cross-account and cross-tenant paths- and uncover the behaviors and misconfigurations that lead to real exposure.
• Extend that research into additional cloud providers and the cloud-adjacent technologies layered on top- Kubernetes and container platforms, infrastructure-as-code, CI/CD pipelines, SaaS applications, identity providers, and secrets management- wherever access and risk cross boundaries.
• Research how AI is reshaping cloud access- the AI agents, workloads, and identities that now request and hold permissions- and how to secure the access sprawl that comes with them.
• Analyze large sets of cloud configuration and access data, modeling access paths in our graph to surface privilege escalation, lateral movement, and unintended reachability.
• Translate research into product: detection logic, policy and guardrail capabilities, and risk-classification frameworks that work against real customer environments.
• Prototype AI- and LLM-powered approaches that scale your research- automating analysis, surfacing risk, and generating policy and remediation guidance.
• Validate findings against live cloud environments and help shape new detections from what you uncover.
• Track the cloud threat landscape- new services, provider changes, public research, and real-world attack techniques- and feed it back into the roadmap.
• Partner closely with Product and Engineering to get findings into production, and represent the research externally through blogs, talks, and the security community.
  
  

• 3+ years of experience in cybersecurity, security research, or data analysis- the exact domain matters less than sharp analytical instincts and real curiosity about how systems work.
• Hands-on experience with at least one major cloud (AWS, Azure, or GCP) is a strong plus- and if cloud is newer to you, a genuine appetite to go deep on it.
• A solid grasp of security fundamentals: identity and access, network security, or how attackers find and exploit weaknesses.
• A track record of investigative, analytical work- digging into how things behave, finding patterns in data, and surfacing non-obvious findings.
• Strong sense of ownership, clear communication, and the ability to translate findings into real-world impact.
• Startup mindset- comfortable iterating quickly, owning ambiguity, and learning as you go.
  
  

• Experience with graph-based data or knowledge systems, especially for access-path or reachability analysis.
• Hands-on depth with cloud-adjacent technologies- Kubernetes, infrastructure-as-code, CI/CD, or SaaS and identity-provider security.
• Familiarity with applying AI/LLMs to security research and automation- we're an AI-native team and use these tools as part of how we build.