MSP4, LLC | Full-Time | Remote (United States) | Travel up to 25% | 6+ years experience
MSP4 operates as the embedded IT department for a portfolio of clients spanning professional services, legal, distribution, manufacturing, and government sectors. Environments range from 50 to 1,500 users and carry real compliance weight: CMMC L2, NIST 800-171, and SOC 2 are active requirements across this client base.
This role owns network and security engineering across that portfolio. You design, deploy, and maintain firewall, switching, routing, and SD-WAN infrastructure for environments with serious uptime and regulatory requirements. The role requires platform depth across Palo Alto, Fortinet, and Cisco. Security posture work, including segmentation, policy review, compliance evidence, and hardening, is core to the role. Design authority sits with our Principal Solutions Architect. The expectation is precise execution, thorough documentation, and sound judgment applied within established architecture.
Remote within the United States, with travel up to 25% for major client project deployments. Day-to-day work is executed remotely.
-
Design and implement network and security infrastructure across multi-site environments: campus, branch, datacenter, and cloud-connected architectures.
-
Manage firewall platforms at scale: Palo Alto with Panorama, Fortinet with FortiManager, Cisco ASA/FTD, Juniper SRX, and Sophos XG/XGS.
-
Configure and maintain enterprise switching and routing (BGP, OSPF, HSRP/VRRP, VLANs, spanning tree, QoS) across Cisco Catalyst/Nexus, Juniper EX, Aruba, and Meraki platforms.
-
Implement and manage SD-WAN solutions, including failover design, policy routing, and carrier diversity.
-
Apply network segmentation, micro-segmentation, and zero-trust access controls in support of CMMC L2, NIST 800-171, and SOC 2 compliance requirements.
-
Conduct firewall policy audits, rule cleanup, and hardening reviews; produce documentation that satisfies compliance evidence requirements.
-
Support VPN and remote access infrastructure (IPsec, SSL/TLS, GlobalProtect, FortiClient) across client environments.
-
Respond to network security incidents, assist with forensic review, and implement corrective controls.
-
Integrate network security tooling: IDS/IPS, NAC (Cisco ISE, Aruba ClearPass), SIEM log forwarding, and event correlation.
-
Translate compliance requirements into network policy: map NIST 800-171 and CMMC L2 controls to firewall rules, segmentation boundaries, and access enforcement.
-
Produce network diagrams, runbooks, and change documentation that meet audit standards and enable other engineers to maintain what you build.
-
Travel to client sites up to 25% for major project-based deployments.
Candidates are scored against these. Categories: Technical, Functional, Consulting, Credentials.
#
Qualification
Category
Description
1
Firewall platform depth
Technical
Hands-on policy management at scale on at least two of Palo Alto with Panorama, Fortinet with FortiManager, Cisco ASA/FTD, Juniper SRX, or Sophos XG/XGS.
2
Routing
Technical
Operational depth in BGP, OSPF, EIGRP, and first-hop redundancy (HSRP/VRRP) across multi-site environments.
3
Switching
Technical
VLANs, 802.1Q trunking, spanning tree variants, and QoS across Cisco Catalyst/Nexus, Juniper EX, Aruba, or Meraki.
4
SD-WAN
Technical
Design and operation of SD-WAN: failover design, policy routing, and carrier diversity.
5
VPN and remote access
Technical
IPsec, SSL/TLS, GlobalProtect, and FortiClient remote access design and administration.
6
Network segmentation and zero trust
Technical
Segmentation, micro-segmentation, and zero-trust access enforcement applied to regulated environments.
7
Network security tooling
Technical
IDS/IPS, NAC (Cisco ISE, Aruba ClearPass), SIEM integration, and log forwarding.
8
Datacenter networking
Technical
Top-of-rack switching, spine/leaf topologies, and VXLAN.
9
Compliance translation
Functional
Translating NIST 800-171 and CMMC L2 network controls into firewall policy, segmentation, and access enforcement.
10
Compliance audit support
Functional
Producing audit-ready network diagrams, access-control evidence, and firewall policy documentation; SOC 2 Type II as the common baseline.
11
Multi-client service delivery
Functional
Maintaining consistent security posture across varied client environments under established standards.
12
Documentation discipline
Consulting
Network diagrams, firewall policy documentation, change records, and audit-ready evidence packages another engineer can follow and an auditor can rely on.
13
Executes within an owned framework
Consulting
Reads and applies architecture standards set by others without requiring constant design input.
14
Production experience
Credentials
6+ years network and security engineering in multi-site production environments across professional services, manufacturing, distribution, legal, or government.
15
US-person status
Credentials
US citizen, US national, lawful permanent resident, or protected individual (refugee or asylee) under US law. Required for CUI and export-controlled system access under CMMC L2. Authorization to work in the US is not sufficient: a work visa (H-1B, L-1, TN), OPT/CPT, or an Employment Authorization Document does not satisfy this requirement.
16
Network and security certifications
Credentials
PCNSE, Fortinet NSE 4 or higher, CCNP Enterprise or Security, or JNCIS. A plus, not a requirement.
Required. Absence screens the candidate out.
-
6+ years network and security engineering in multi-site production environments (matrix #14).
-
US-based work location and US-person status (matrix #15). You must qualify as a US person: US citizen, US national, lawful permanent resident (green card holder), or protected individual (refugee or asylee) under US law. Authorization to work in the United States is not sufficient on its own. A non-immigrant work visa (H-1B, L-1, TN, and similar), F-1 OPT/CPT, or an Employment Authorization Document does not meet this requirement. This role's access to Controlled Unclassified Information and export-controlled systems is restricted to US persons under CMMC L2 and US export control regulations (ITAR / EAR).
-
Hands-on firewall depth on at least two major platforms, including policy management at scale (matrix #1).
-
Routing and switching fluency at operational depth (matrix #2, #3).
-
VPN and remote access design and administration (matrix #5).
-
Compliance audit support, including audit-ready network diagrams and access-control evidence (matrix #10).
-
Ability to read and apply architecture standards set by others without constant design input (matrix #13).
Preferred. Strengthens a candidate, never screens one out.
-
SD-WAN design and operation (matrix #4).
-
Network segmentation, micro-segmentation, and zero-trust enforcement in regulated environments (matrix #6).
-
Network security tooling: IDS/IPS, NAC, SIEM integration (matrix #7).
-
Datacenter networking: spine/leaf, VXLAN, top-of-rack (matrix #8).
-
Certifications: PCNSE, Fortinet NSE 4+, CCNP Enterprise or Security, JNCIS (matrix #16).
-
Prior multi-client / MSP service delivery experience (matrix #11).
Competency
Behavioral indicator
Executes within the framework
Delivers clean work inside the Principal's design framework; pushes back when something is wrong, does not redesign on personal preference.
Holds security posture to a standard
Keeps a client's segmentation, firewall policy, and access controls at the defined standard rather than letting drift accumulate between audits.
Forward-deployed ownership
Owns the outcome at the client in front of them; carries that client's context into every change.
Documentation discipline
Leaves behind audit-ready diagrams, policy records, and evidence that let another engineer maintain the work and an auditor rely on it.
Judgment under audit
Exercises consistent, defensible judgment that holds up across a multi-client portfolio and under audit.
MSP4 does not operate like a traditional IT department or a ticket-centric help desk. We function as embedded IT leadership for our clients, accountable to their outcomes.
Our Principal Solutions Architect owns the design framework. Engineers at every level, including senior, execute within that framework. The tier structure keeps a multi-client portfolio consistent and audit-ready. Candidates who need design authority to feel effective should pass on this role. Candidates who find satisfaction in high-quality execution and in earning client trust through reliability will do well here.
We are building the operating model in real time. Some processes are documented; others are being written as we go. People here help shape what does not yet exist while executing reliably within what does.
MSP4, LLC provides infrastructure, security, and IT advisory services to mid-market professional services, manufacturing, distribution, legal, and government clients across the United States. Our commercial practice and regulated practice serve organizations with serious compliance requirements including SOC 2 Type II and CMMC Level 2.
We are a small team. Every person on it has direct impact on client outcomes. The ladder is tiered for scope and audit; access is not. Everyone here has direct access to everyone else, up to and including the CEO.
-
Remote within the United States. Day-to-day work is executed remotely.
-
Travel up to 25% for major client project deployments.
-
US-based work location and US-person status required. You must qualify as a US person: US citizen, US national, lawful permanent resident, or protected individual (refugee or asylee) under US law. Authorization to work in the United States is not sufficient on its own; a non-immigrant work visa (H-1B, L-1, TN), F-1 OPT/CPT, or an Employment Authorization Document does not qualify. Access to Controlled Unclassified Information and export-controlled systems is restricted to US persons under CMMC L2 and US export control regulations (ITAR / EAR). See Required for the full definition.
-
Extended periods at a computer performing configuration, policy, and documentation work; occasional on-site work in client server rooms and data closets during deployments.
MSP4, LLC is an equal opportunity employer. All qualified applicants receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, protected veteran status, or any other characteristic protected by applicable federal, state, or local law.
Alongside your resume, submit a one-page cover page in PDF. Name the file CoverPage_LastName_FirstName_SeniorNetworkSecurityEngineer.pdf. Include a header line with your name, the date, and the JD version string shown at the bottom of this posting.
On the cover page, answer the following in order:
-
Describe one architecture or operational decision you disagreed with at a prior role. What was your position, what did you do about it, and how did it resolve?
-
Name one platform or technology listed in this JD where your depth is shallow. Describe how you would come up to speed in your first 90 days.
Close with the following statement exactly: "I understand that design authority for this role sits with the Principal Solutions Architect, and that my role is to execute within that framework."
One page. PDF only.
JD v4.0. Retain this version string on your cover page.