Staff Software Engineer, Container & VM Security

at Anthropic
📍 New York City, United States
📍 San Francisco, United States
USD 320,000-485,000 per year
SENIOR
✅ Hybrid

SCRAPED

Used Tools & Technologies

Not specified

Required Skills & Competences ?

Security @ 7 Docker @ 4 Go @ 6 Kubernetes @ 4 Linux @ 4 Python @ 6 Distributed Systems @ 4 Communication @ 7 Rust @ 6 Audit @ 4

Details

Anthropic’s mission is to create reliable, interpretable, and steerable AI systems. We want AI to be safe and beneficial for our users and for society as a whole. Our team is a quickly growing group of committed researchers, engineers, policy experts, and business leaders working together to build beneficial AI systems.

This role focuses on designing and implementing robust sandboxing solutions to protect AI infrastructure from untrusted workloads while preserving performance and usability. You'll work with virtualization and containerization technologies, architect secure-by-default systems that leverage Linux kernel isolation mechanisms, develop threat models, and build defenses against sophisticated attacks affecting container and VM isolation.

Responsibilities

  • Design and implement secure sandboxing architectures using virtualization (KVM, Xen, Firecracker, Cloud Hypervisor) and container technologies (OCI containers, gVisor, Kata Containers) to isolate untrusted workloads
  • Develop deep expertise in Linux kernel isolation mechanisms including namespaces, cgroups, seccomp, capabilities, and LSMs (SELinux/AppArmor) to build defense-in-depth strategies
  • Create comprehensive threat models for sandboxing infrastructure, identifying attack vectors and designing mitigations for container escapes, VM breakouts, and side-channel attacks
  • Build and maintain security policies and configurations for multi-tenant cloud environments, ensuring strong isolation between different workloads
  • Partner with infrastructure teams to implement secure-by-default patterns for deploying and managing containerized and virtualized workloads at scale
  • Develop monitoring and detection capabilities to identify potential security breaches or anomalous behavior within sandboxed environments
  • Lead security reviews of new sandboxing technologies and provide guidance on their adoption within infrastructure
  • Mentor other engineers on secure coding practices and sandboxing best practices
  • Contribute to security incident response efforts related to isolation and sandboxing
  • Collaborate with research teams to understand security requirements of AI workloads and develop appropriate isolation strategies

Requirements

  • 8+ years of experience in systems security, with deep expertise in virtualization and containerization security
  • Expert-level knowledge of Linux kernel isolation mechanisms and experience implementing them in production
  • Proven experience securing untrusted workloads in cloud settings (public cloud and private infrastructure)
  • Proficiency in systems programming languages (Go, Rust, C/C++, Python)
  • Hands-on experience with container runtimes (Docker, containerd, CRI-O) and orchestration platforms (Kubernetes)
  • Understanding of hypervisor internals and experience with VM security (QEMU/KVM, Xen, VMware, Hyper-V)
  • Experience designing and articulating complex threat models for distributed systems
  • Familiarity with cloud provider security models and their isolation guarantees
  • Strong communication skills for both technical and non-technical stakeholders

Strong candidates may also have

  • Experience with microVM technologies (Firecracker, Cloud Hypervisor) and their security properties
  • Knowledge of hardware-based security features (Intel TDX, AMD SEV, SGX) and confidential computing
  • Contributions to open-source security projects related to containerization or virtualization
  • Experience with eBPF for security monitoring and enforcement
  • Understanding of AI/ML workload characteristics and their unique security requirements
  • Track record of identifying and responsibly disclosing security vulnerabilities in virtualization or container platforms
  • Experience building security tooling and automation for large-scale infrastructure
  • Background in formal verification or security research

Representative projects

  • Design a multi-layered sandboxing architecture combining VMs and containers to safely execute untrusted AI-generated code
  • Implement runtime security policies using seccomp, AppArmor, and SELinux to minimize container attack surface
  • Build a threat detection system that identifies potential container escape attempts using eBPF and kernel audit logs
  • Create secure defaults and guardrails for Kubernetes deployments to prevent privilege escalation and lateral movement
  • Develop automated security testing for sandboxing infrastructure to continuously validate isolation properties
  • Architect network isolation strategies using CNI plugins and cloud-native firewalling to segment workloads

Compensation & Logistics

  • Annual base salary: $320,000 - $485,000 USD
  • Total compensation package includes equity, benefits, and may include incentive compensation
  • Education: Bachelor's degree in a related field or equivalent experience required
  • Location-based hybrid policy: staff expected to be in an office at least 25% of the time (some roles may require more)
  • Visa sponsorship: We do sponsor visas where feasible and retain immigration counsel to assist

How to apply

Applications are reviewed on a rolling basis. Anthropic encourages applicants from diverse backgrounds to apply and welcomes candidates who may not meet every listed qualification.