Cloud Network Security Senior Engineer @SAP

We help the world run better

At SAP, we enable you to bring out your best. Our company culture is focused on collaboration and a shared passion to help the world run better. How? We focus every day on building the foundation for tomorrow and creating a workplace that embraces differences, values flexibility, and is aligned to our purpose-driven and future-focused work. We offer a highly collaborative, caring team environment with a strong focus on learning and development, recognition for your individual contributions, and a variety of benefit options for you to choose from.

The Role

As a Cloud Network Security Engineer with deep focus on Web Application Firewall (WAF) rule tuning, DDoS mitigation, and cloud-native policy-as-code, you will play a critical role in designing, implementing, and maintaining robust cloud perimeter and workload protection strategies. You will own the continuous improvement of WAF rule sets, Network Security Groups (NSGs), security policies, DDoS detection and mitigation strategies, and threat detection logic—all delivered and maintained as code.

Key Responsibilities

Cloud WAF Design & Tuning
 

• Define and implement WAF strategies using native services (e.g., AWS WAF, Azure WAF, Google Cloud Armor).
• Conduct detailed analysis and tuning of WAF rules to reduce false positives while maintaining strong protections against OWASP Top 10 threats and custom application vulnerabilities.
• Collaborate with application security and DevSecOps teams to align WAF configurations with business logic and risk profiles.
   

• Develop and continuously improve DDoS prevention and mitigation strategies across cloud platforms and network layers (L3, L4, L7).
• Monitor DDoS metrics and anomalies, validate mitigation effectiveness, and fine-tune thresholds and countermeasures to balance security and legitimate traffic.
• Collaborate with SOC and threat intelligence teams to investigate and respond to DDoS incidents, perform post-attack analysis, and produce mitigation reports.
   

• Implement and manage cloud network and security controls as code using tools such as Terraform, AWS CDK, Azure Bicep, or Pulumi.
• Maintain and audit security group, firewall, routing, and DDoS protection policies across AWS, Azure, and GCP for consistency and compliance.
• Automate the deployment, validation, and rollback of security policies within CI/CD pipelines.
   

• Work closely with security operations and observability teams to ensure that WAF and DDoS logs, alerts, and security policy changes are captured, structured, and integrated into SIEM platforms (e.g., Splunk, ELK).
• Analyze WAF/network logs and DDoS telemetry to identify patterns of abuse, misconfiguration, or performance degradation.
   

• Define standards and templates for cloud firewall, WAF, and DDoS configurations to meet internal security baselines and external compliance requirements (e.g., ISO 27001, SOC 2, GDPR).
• Participate in security reviews, audits, and risk assessments related to cloud networking, application ingress security, and DDoS defenses.
   

• Partner with application owners, cloud engineers, and DevOps teams to provide secure-by-default network access and DDoS-resilient designs.
• Provide L2/L3 support for escalated security incidents, change requests, or false positives related to WAF and DDoS protections.
   

• Bachelor's degree in Computer Science, Cybersecurity, or related field.
• 5+ years of experience in cloud security engineering or network security roles.
• Expert-level hands-on experience with cloud-native WAF solutions: AWS WAF, Azure WAF, Google Cloud Armor.
• Deep understanding of WAF rule tuning, threat signatures, regex patterns, anomaly detection, and DDoS attack vectors and mitigation techniques.
• Proficient in network security configurations including NSGs, firewalls, VPC/Subnet security, and zero-trust principles.
• Experience with Infrastructure-as-Code and Policy-as-Code using Terraform, AWS CDK, Bicep, or equivalent.
• Solid scripting skills (Python, Bash, etc.) for automation, custom tooling, and DDoS mitigation orchestration.
• Familiarity with DevSecOps practices and integrating security controls into CI/CD pipelines.
• Experience with multi-cloud environments (AWS, Azure, GCP) and hybrid networks.
   

• Cloud certifications (e.g., AWS Security Specialty, Azure Security Engineer Associate, GCP Professional Cloud Security Engineer).
• Experience with security frameworks like MITRE ATT&CK, CIS Benchmarks, and NIST 800-53.
• Knowledge of API security testing and DDoS mitigation strategies.
• Experience working with SIEM platforms and log analytics for WAF incident detection.
• Contributions to open-source security tools or WAF rule sets.
   

• Be a part of a world-class cloud security engineering team shaping the security of critical infrastructure.
• Solve complex problems in a high-scale, multi-cloud enterprise environment.
• Drive meaningful impact on the resilience and trustworthiness of business-critical applications

Benefits

• Performance bonus
• Annual bonus
• Medical subscription
• Dental subscription
• Flexible work schedule
• Meal vouchers