Senior Engineer - Privileged Access Management

AHEAD is searching for a Senior Privileged Access Management (PAM) Engineer to be a part of our Managed Services team. This individual will lead the design, implementation, and ongoing operations of multi-tenant PAM solutions for our MSP customers, with a primary focus on the BeyondTrust platform.

The Senior PAM Engineer will architect secure privileged access workflows, implement enterprise-grade BeyondTrust capabilities (such as password vaulting, session management, and least-privilege endpoint controls), integrate PAM with customer identity and ITSM platforms, and serve as the subject matter expert for privileged access across our managed services portfolio.

This role requires deep technical expertise in PAM concepts and BeyondTrust technologies, strong security and infrastructure fundamentals, and the ability to lead cross-functional initiatives with customers and internal teams. The ideal candidate will have extensive experience designing and operating PAM solutions in multi-customer environments, strong scripting and automation skills, and a consulting mindset suited to Managed Services delivery.

• Lead architecture and design of multi-tenant BeyondTrust PAM services for MSP customers, including onboarding of new tenants and standardization of service offerings.
• Architect secure privileged access workflows for infrastructure, applications, databases, cloud platforms, and network devices, aligned to least-privilege principles and regulatory requirements.
• Implement and maintain BeyondTrust Password Safe and related components, including:
  
  
  
  • Discovery and onboarding of privileged accounts and systems
  • Password rotation policies and check-in/check-out workflows
  • Session brokering, recording, and real-time monitoring
  • Approval workflows and just-in-time (JIT) access
  
  
  
  
• Implement and maintain BeyondTrust Privilege Management for endpoints and servers (Windows and Linux/Unix), including policy design, deployment, and tuning to minimize user/admin friction while enforcing least privilege.
• Design and maintain highly available and secure BeyondTrust infrastructure, including clustering, scaling, upgrades, patching, and disaster recovery strategies across customer environments.
• Integrate PAM with identity and security platforms, including:
  
  
  
  • Active Directory / Entra ID / LDAP and other directories for authentication and group-based access
  • MFA/SSO platforms using SAML/OIDC/OAuth2
  • SIEM and logging platforms for monitoring and alerting on privileged activity
  • ServiceNow and other ITSM tools for request, approval, and ticket correlation workflows
  
  
  
  
• Develop and maintain automation and tooling (e.g., PowerShell, Python, REST APIs) to:
  
  
  
  • Accelerate onboarding and lifecycle management of privileged accounts and systems
  • Enforce configuration standards and policies at scale
  • Generate reports and dashboards for compliance and operational KPIs
  
  
  
  
• Lead end-to-end customer onboarding to the PAM service, including:
  
  
  
  • Requirements gathering, use case definition, and risk assessment
  • Designing onboarding playbooks and standard reference architectures
  • Coordinating with internal and customer teams to implement and validate PAM controls
  
  
  
  
• Define and maintain standardized PAM policies and baselines across customer environments, including credential management, access approval patterns, session monitoring, and privileged elevation rules.
• Conduct security and risk assessments of existing privileged access practices, recommend remediation plans, and track execution to closure.
• Serve as subject matter expert and escalation point for PAM-related incidents and service requests, including troubleshooting BeyondTrust platform issues and complex access problems.
• Collaborate with security, infrastructure, network, and application teams (internal and customer) to ensure PAM controls are aligned with broader security architecture and operational requirements.
• Develop and maintain comprehensive documentation, including:
  
  
  
  • Platform architectures and configuration standards
  • Customer-specific runbooks and operational procedures
  • Onboarding and migration playbooks
  • Knowledge base articles and FAQs for internal and customer use
  
  
  
  
• Provide mentoring and guidance to team members on PAM concepts, BeyondTrust best practices, and secure operations in a managed services context.
• Communicate with customers and internal stakeholders with transparency, providing regular status updates, risk/issue visibility, and technical recommendations.
• Complete training and certification as assigned to further skills and knowledge, including PAM and BeyondTrust-specific certifications where applicable.
• *Other job duties as assigned

• Minimum Required - A college degree or equivalent in Information Systems, Computer Science, Cybersecurity, or a related field. Unique education, specialized experience, skills, knowledge, training, or certification may be substituted for formal education.
• Minimum of 7 years of related experience in IT operations, infrastructure engineering, or cybersecurity, with significant hands-on responsibility for privileged access controls in enterprise environments.
• 3+ years of direct experience designing, implementing, and operating PAM solutions (BeyondTrust strongly preferred; experience with platforms such as CyberArk or Delinea is a plus).
• Experience delivering services in a managed services or consulting capacity, including direct customer engagement and multi-tenant or multi-customer environments.
• Demonstrated experience leading technical initiatives, driving cross-functional projects, and mentoring junior team members.
• Experience working with regulated or compliance-driven environments (e.g., SOX, PCI DSS, HIPAA, ISO 27001) and supporting audit and evidence collection for privileged access controls.

• Excellent written and verbal communication skills and ability to build and maintain collaborative, positive working relationships at all levels (technical and business stakeholders).
• Strong understanding of information security principles, including least privilege, separation of duties, identity and access management, and secure system design.
• Deep knowledge of PAM concepts and practices, including privileged account discovery, credential vaulting, session management, just-in-time access, and privileged elevation.
• Hands-on experience with BeyondTrust products in production environments, ideally including:
  
  
  
  • BeyondTrust Password Safe (or BeyondInsight platform)
  • BeyondTrust Privilege Management for Windows and Unix
  • BeyondTrust Remote Support or similar tools
  
  
  
  
• Strong understanding of authentication and authorization protocols (e.g., Kerberos, NTLM, LDAP, RADIUS, SAML, OAuth2/OIDC, API key management) and their application in PAM architectures.
• Experience integrating PAM platforms with:
  
  
  
  • Active Directory / Entra ID / LDAP and group-based access models
  • MFA/SSO solutions
  • SIEM and logging tools for monitoring privileged activity
  
  
  
  
• ServiceNow or similar ITSM systems for request and approval workflows
• Strong scripting and automation skills (e.g., PowerShell, Python, Bash) and experience using REST APIs to integrate and automate PAM workflows.
• Experience with Windows and Linux operating systems, including server and workstation platforms, and common administrative tools used by privileged users.
• Knowledge of enterprise IT systems including Active Directory, networking, firewalls, storage, compute, virtualization, and cloud services, and how privileged access is managed across these domains.
• Familiarity with monitoring and observability platforms (e.g., Elastic, LogicMonitor or similar) to track PAM infrastructure health and performance.
• Experience working in Scrum/Agile environments and contributing to structured delivery processes, including backlog grooming, sprint planning, and tracking work against clear acceptance criteria.
• Strong analytical and problem-solving skills, with the ability to troubleshoot complex issues across application, infrastructure, and security layers.
• Demonstrated ability to prioritize and manage multiple concurrent efforts in a fast-paced managed services environment.