Our client, an IT Services organization supporting commercial and federal clients, is seeking Network Security Engineer with Skyhigh SWG Proxy experience. This role is 100% remote and can be anywhere in the US.

Responsibilities / Scope:

- Operate & Engineer
- Own SWG policy lifecycle: design - peer review - test - deploy - validate. Keep hierarchy sane; keep lists accurate and minimal.
- Maintain TLS inspection posture and exception handling (pinning-safe), with documented rationale and owner for each exception.
- Troubleshoot at Scale
- Lead packet-through-analytics investigations; produce clear RCAs with captures, logs, and sequence diagrams.
- Harden & Improve
- Reduce legacy exceptions, remove dead objects, and optimize PAC/WPAD logic.
- Keep rollback plans and versioned artifacts for every material change.
- Deliverables (acceptance = artifact exists and is technically correct)
o Current-State Assessment (-30 days): Inventory of SWG policies, objects/lists, TLS inspection posture, PAC/WPAD flow, and key data paths; gap list with remediation proposals.
o Runbooks & Tests (-60-90 days):
o Troubleshooting runbooks (auth failures, TLS errors, PAC issues, proxy vs origin error differentiation).
o PCRE test suite with regression cases and performance gates.
o Change checklist with rollback criteria and canary plan.
o Quarterly Hygiene Pack: Exception review (add/remove decisions with owners), object cleanup report, and prioritized improvement backlog.
o Incident RCAs: For P1/P2 proxy incidents, RCA within 5 business days with evidence and corrective actions.
- Evaluation / Verification
o Live Exercise: Given a synthetic outage (e.g., SSO app fails behind TLS inspection), isolate cause using packet capture + logs and propose a safe change with rollback.
o PCRE Test: Author a performant pattern for a non-trivial URL/classification case; demonstrate why it won-t backtrack catastrophically.
o Policy Review: Walk through a hierarchy change (lists, inheritance, bypass logic) and defend design/rollback-clarity over theatrics.

Required Skills

- Must be US Citizen due to government clearance requirement
- Must be eligible for Public Trust (active DoD Secret is a plus)

Mandatory Qualifications
- Skyhigh SWG (SkyHigh)
- 3+ years administering Skyhigh Secure Web Gateway in production (>10k users).
- Expert in policy hierarchy/inheritance, object & list management, staged rollout (test-pilot-prod), logging export, versioning, rollback.
- Proxy Engineering
- Forward/reverse proxy modes; explicit vs transparent; PAC/WPAD design and distribution.
- SSL/TLS inspection: cert chains, pinning impacts, ALPN, HTTP/2 behavior, auth flows (Kerberos/NTLM, SAML/OIDC).
- Safe bypass strategies (domain/SNI/IP/risk-based) without degrading coverage.
- Layer 3 & Internet Fundamentals
- Routing & addressing (CIDR, MTU/fragmentation/PMTUD, NAT44/66, VRFs), basic BGP/OSPF, DNS recursion/forwarding and failure modes.
- Ports & Protocols
- TCP/UDP behavior, ephemeral ranges, TLS handshake/SNI, and middlebox interactions (no QUIC/HTTP-3 requirement).
- PCRE
- Writes and reviews complex PCRE (lookarounds, backreferences, atomic groups) with an eye for performance (avoid catastrophic backtracking).
- Troubleshooting: Packets + Analytics
- tcpdump/Wireshark proficiency (TLS/HTTP analysis, TCP dynamics).
- Log correlation at scale (e.g., Splunk/ELK) to isolate issues off-box (client, network, IdP, upstream).
- Can distinguish origin responses vs proxy-generated errors and document root cause.
- Communication & Prioritization
- Clear stakeholder comms; triage correctly under load-doesn-t treat every noisy issue as P1.