SAP Cloud Network Security Senior Engineer WAF DDoS Focus 

Czechia, Prague, Prague 

592448978

The Role:

As a Cloud Network Security Engineer with deep focus on Web Application Firewall (WAF) rule tuning, DDoS mitigation, and cloud-native policy-as-code, you will play a critical role in designing, implementing, and maintaining robust cloud perimeter and workload protection strategies. You will own the continuous improvement of WAF rule sets, Network Security Groups (NSGs), security policies, DDoS detection and mitigation strategies, and threat detection logic—all delivered and maintained as code.

Key Responsibilities

Cloud WAF Design & Tuning

• Define and implement WAF strategies using native services (e.g., AWS WAF, Azure WAF, Google Cloud Armor).
• Conduct detailed analysis and tuning of WAF rules to reduce false positives while maintaining strong protections against OWASP Top 10 threats and custom application vulnerabilities.
• Collaborate with application security and DevSecOps teams to align WAF configurations with business logic and risk profiles.

DDoS Detection, Mitigation & Validation

• Develop and continuously improve DDoS prevention and mitigation strategies across cloud platforms and network layers (L3, L4, L7).
• Monitor DDoS metrics and anomalies, validate mitigation effectiveness, and fine-tune thresholds and countermeasures to balance security and legitimate traffic.
• Collaborate with SOC and threat intelligence teams to investigate and respond to DDoS incidents, perform post-attack analysis, and produce mitigation reports.

Security Policy-as-Code

• Implement and manage cloud network and security controls as code using tools such as Terraform, AWS CDK, Azure Bicep, or Pulumi.
• Maintain and audit security group, firewall, routing, and DDoS protection policies across AWS, Azure, and GCP for consistency and compliance.
• Automate the deployment, validation, and rollback of security policies within CI/CD pipelines.

Monitoring, Visibility & Threat Detection

• Work closely with security operations and observability teams to ensure that WAF and DDoS logs, alerts, and security policy changes are captured, structured, and integrated into SIEM platforms (e.g., Splunk, ELK).
• Analyze WAF/network logs and DDoS telemetry to identify patterns of abuse, misconfiguration, or performance degradation.

Security Governance & Compliance

• Define standards and templates for cloud firewall, WAF, and DDoS configurations to meet internal security baselines and external compliance requirements (e.g., ISO 27001, SOC 2, GDPR).
• Participate in security reviews, audits, and risk assessments related to cloud networking, application ingress security, and DDoS defenses.

Collaboration & Support

• Partner with application owners, cloud engineers, and DevOps teams to provide secure-by-default network access and DDoS-resilient designs.
• Provide L2/L3 support for escalated security incidents, change requests, or false positives related to WAF and DDoS protections.

What You Bring

• Bachelor's degree in Computer Science, Cybersecurity, or related field.
• 5+ years of experience in cloud security engineering or network security roles.
• Expert-level hands-on experience with cloud-native WAF solutions: AWS WAF, Azure WAF, Google Cloud Armor.
• Deep understanding of WAF rule tuning, threat signatures, regex patterns, anomaly detection, and DDoS attack vectors and mitigation techniques.
• Proficient in network security configurations including NSGs, firewalls, VPC/Subnet security, and zero-trust principles.
• Experience with Infrastructure-as-Code and Policy-as-Code using Terraform, AWS CDK, Bicep, or equivalent.
• Solid scripting skills (Python, Bash, etc.) for automation, custom tooling, and DDoS mitigation orchestration.
• Familiarity with DevSecOps practices and integrating security controls into CI/CD pipelines.
• Experience with multi-cloud environments (AWS, Azure, GCP) and hybrid networks.

Bonus Points

• Cloud certifications (e.g., AWS Security Specialty, Azure Security Engineer Associate, GCP Professional Cloud Security Engineer).
• Experience with security frameworks like MITRE ATT&CK, CIS Benchmarks, and NIST 800-53.
• Knowledge of API security testing and DDoS mitigation strategies.
• Experience working with SIEM platforms and log analytics for WAF incident detection.
• Contributions to open-source security tools or WAF rule sets.

Why Join Us

• Be a part of a world-class cloud security engineering team shaping the security of critical infrastructure.
• Solve complex problems in a high-scale, multi-cloud enterprise environment.
• Drive meaningful impact on the resilience and trustworthiness of business-critical applications

​

We win with inclusion

Successful candidates might be required to undergo a background verification with an external vendor.

Job Segment:Cloud, Network Security, Testing, ERP, Open Source, Technology, Security