Senior Privileged Access Management (PAM) Engineer

Privileged Access Management (PAM) Engineer – Job Description

Position Overview

We are growing! GuidePoint Security is hiring a PAM Engineer to join our implementation team on a full-time basis. This is a fully remote role where we are looking for relevant experience with Delinea/Thycotic, CyberArk or BeyondTrust.

The Privileged Access Management (PAM) Engineer is responsible for designing, deploying, administering, and optimizing enterprise-grade PAM solutions with a primary focus on Delinea Secret Server, CyberArk Privileged Cloud, and modern PAM practices. This role ensures secure management of privileged accounts, service accounts, credentials, secrets, and high-risk access workflows across the organization. The engineer will work closely with security, infrastructure, DevOps, and application teams to implement and maintain advanced PAM controls and best practices.

Key Responsibilities

• Deploy, configure, manage, and support Delinea Secret Server (On-Prem/Cloud) and CyberArk Privileged-Cloud environments.
• Manage vaulting, onboarding, and lifecycle governance for privileged, shared, and service accounts.
• Maintain password rotation policies, session management, access workflows, and security controls.
• Implement and oversee privileged session monitoring, session recording, and behavioral alerts.
• Ensure adherence to least-privilege and Zero-Trust principles for all privileged identities.

Modern PAM & Non-Human Identity Management (NHIM)

• Support modern PAM capabilities such as: Just-in-Time (JIT) privilege elevation; Ephemeral and dynamic credentials; Secrets management APIs / integrations; Cloud-native privileged access management; Credential discovery, scanning, and risk classification; Hybrid identity governance for machine accounts
• Assist in building automated credential workflows for CI/CD pipelines and DevOps systems.

Technical Implementation & Engineering

• Integrate PAM platforms with AD/LDAP, Azure AD, SSO/IDP, SIEM, MFA, ticketing systems, and cloud services (AWS/Azure/GCP).
• Onboard new systems, servers, applications, databases, and network devices to Delinea and CyberArk.
• Configure connectors, distributed engines, secrets management API endpoints, and credential plugins.
• Develop automation for onboarding, rotation, and monitoring using PowerShell, Python, or REST APIs.

Minimum Qualifications

• Bachelor’s degree in Computer Science, Information Security, or related field — or equivalent work experience.
• 3–5+ years of experience in Privileged Access Management engineering or Consulting
• Hands-on experience with Delinea Secret Server (on-prem or cloud) including password rotation, connectors, RBAC, and auditing.
• Experience in implementing CyberArk Privileged Cloud (or CyberArk CorePAS)
• Strong understanding of privileged account governance, password rotation, service account automation, and session management.
• Experience with Windows/Linux server administration and Active Directory.
• Familiarity with scripting (PowerShell, Python) and REST APIs.
• Knowledge of common security frameworks and access control principles.

Preferred Qualifications

• 3-5 years of IT Professional services and consulting experience
• Professional certifications such as: Delinea Certified Engineer; CyberArk Defender / CyberArk Sentry / Guardian; CISSP, CISM, Security+, CCSP, or similar
• Exposure to modern PAM capabilities: Ephemeral access; Credential-less access; Cloud secrets management; Certificate lifecycle management
• Experience integrating PAM with DevOps pipelines (Jenkins, GitHub, Azure DevOps, GitLab).
• Background in cloud security for AWS, Azure, and/or GCP.
• Experience in NHIM/Machine Identity Governance tools.
• Ability to design PAM architectures and drive enterprise-wide PAM programs.