Senior Principal Security Architect

<div class="content-intro"><p><strong>Who we are</strong></p> <p>At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.</p> <p><strong>What we do</strong></p> <p>The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!</p></div><p><strong>Role overview</strong></p> <p>As a Senior Principal Security Architect, you will be the technical visionary for our software and cloud security posture. This is a "force multiplier" role designed to bridge the gap between high-level business strategy and deep-level engineering execution. You won't just be finding vulnerabilities; you will be architecting the "paved roads" that make it easy for our developers to build secure products by default. You will work closely with our senior application and cloud security engineers across the entire software development organization to design secure-by-default systems, shared libraries, and cloud infrastructure that protect our customers and our brand.</p> <p><strong>What you'll do</strong></p> <ul> <li>Lead the design of secure-by-default cloud patterns (AWS/GCP) and product features, ensuring security is integrated into the earliest stages of the design phase.</li> <li>Design and oversee the development of common security libraries—standardized AuthN/AuthZ, encryption wrappers, and input validation frameworks—that allow developers to ship code quickly and safely.</li> <li>Act as a technical partner to the CTO and Heads of Engineering, aligning security initiatives with business velocity and innovation.</li> <li>Lead complex threat modeling for high-stakes projects, identifying systemic architectural weaknesses and engineering them out of existence.</li> <li>Define and implement guardrails for Infrastructure as Code (IaC) and container orchestration (Kubernetes) to maintain a zero-trust environment at scale.</li> <li>Serve as the ultimate technical escalation point and mentor for our senior security engineers, fostering a culture of technical excellence across the organization.</li> </ul> <p><strong>What you'll bring</strong></p> <ul> <li>12+ years of experience in cybersecurity, with at least 6 years focused on security architecture or lead engineering roles within a fast-paced product environment.</li> <li>Expert-level knowledge of cloud-native security (IAM policies, VPC design, KMS, Secrets Management, and Workload Identity).</li> <li>You can write production-grade code in at least two major languages (e.g., Go, Python, Java, or Rust) and have a proven track record of building shared libraries.</li> <li>You have a passion for solving security problems at the root. You don't just fix a bug; you redesign the system to eliminate the entire class of vulnerability.</li> <li>You can explain complex cryptographic primitives or architectural trade-offs to non-technical stakeholders and developers with equal clarity.</li> <li>Deep understanding of OAuth2, OIDC, SAML, and cryptographic primitives (mTLS, AES-GCM, ECC).</li> <li>Experience with zero-trust architecture implementation in a large-scale ... (truncated, view full listing at source)