Privileged Access Management (PAM) Engineer - Hybrid, NYC

Location : New York, NY (Downtown Manhattan)

Type : 12-month contract | 37.5 hrs / week

Work Setup : First month fully onsite; then hybrid (3 days onsite / 2 days remote)

Pay Rate : $100 per hour W2

Role

Join a cybersecurity team to design, implement, and run Privileged Access Management across AD / Entra ID, Linux, and major clouds (Azure, AWS, GCP). You ll reduce standing privilege, enable JIT access, and strengthen identity hygiene in a hybrid / multi-cloud environment.

What you ll do

Own and enhance the enterprise PAM / vault platform; manage privileged creds across on-prem and cloud.

Implement credential randomization and approval-based, time-bound access (least privilege / JIT).

Deploy endpoint privilege management (Windows / Linux / macOS) and application control to replace local admin rights.

Lead identity hygiene efforts : remove unauthorized admins, monitor stale / excessive privileges, and apply ITDR.

Contribute to Zero Trust architecture; align controls to NIST and org policies; expand MFA / SSO / passwordless.

Govern cloud privileged roles (Entra ID / Azure AD, AWS IAM, GCP IAM); integrate with session recording and approvals.

Collaborate with IGA to automate provisioning / deprovisioning and recertifications.

Maintain runbooks / diagrams; report on privileged access usage, hygiene metrics, and compliance.

Required Qualifications

3 5+ years in PAM / IAM / security engineering.

Hands-on with AD, Entra ID, Linux, and at least one cloud (Azure / AWS / GCP).

Experience with vaulting tech and endpoint least-privilege / privilege elevation.

Knowledge of MFA, SSO, passwordless, Kerberos, cert-based auth.

Familiarity with Zero Trust, NIST 800-63B, ITDR, and cloud benchmarks (CIS / CSA).

Scripting / automation with PowerShell, Python, Bash, Terraform.

Strong documentation and communication skills.

Preferred

Multi-cloud privileged access experience (Azure / AWS / GCP).

Entra Conditional Access / PIM, AWS IAM policies, GCP IAM roles.

PAM integrations with CI / CD, DevOps, or ITSM workflows.

Relevant certifications (e.g., CISSP, CISM, CCSP, Azure Security Engineer, AWS Security Specialty, GIAC, SailPoint).

Success looks like

Significant reduction of standing local admin rights and broader least-privilege adoption.

Increased use of MFA / passwordless, vault-based workflows, and controlled privilege elevation.

Clear, auditable reporting and improved compliance posture across on-prem and cloud.

Brandon Consulting Associates, Inc. is an EQUAL OPPORTUNITY EMPLOYER and has been in business for 29years.