diff --git a/protocol/types.go b/protocol/types.go
index d3abdea..0633a25 100644
--- a/protocol/types.go
+++ b/protocol/types.go
@@ -247,6 +247,19 @@ func (e ExecutorRef) RequiresAttestation() bool {
 	}
 }
 
+func ExecutorMatchesPlacementRequirements(executor ExecutorRef, req PlacementRequirements) bool {
+	if req.ExecutorProvider != "" && executor.Provider != req.ExecutorProvider {
+		return false
+	}
+	if req.ExecutionSecurityTier != "" && executor.ExecutionSecurityTier != req.ExecutionSecurityTier {
+		return false
+	}
+	if req.ProofTier != "" && executor.ProofTier != req.ProofTier {
+		return false
+	}
+	return true
+}
+
 type ResourceUsage struct {
 	CPUMillis      int64  `json:"cpu_millis,omitempty"`
 	GPUMillis      int64  `json:"gpu_millis,omitempty"`
diff --git a/protocol/types_test.go b/protocol/types_test.go
index b0f8e79..bdd1532 100644
--- a/protocol/types_test.go
+++ b/protocol/types_test.go
@@ -259,6 +259,47 @@ func TestExecutorRefValidateForProofRequiresDigestsForNonNativeExecutors(t *test
 	}
 }
 
+func TestExecutorMatchesPlacementRequirements(t *testing.T) {
+	executor := protocol.ExecutorRef{
+		Provider:              "sandboxed-command",
+		Version:               "dev",
+		ExecutionSecurityTier: protocol.ExecutionSandboxedContainer,
+		ProofTier:             protocol.ProofArtifactHash,
+	}
+
+	if !protocol.ExecutorMatchesPlacementRequirements(executor, protocol.PlacementRequirements{}) {
+		t.Fatal("empty placement requirements should match an executor")
+	}
+	if !protocol.ExecutorMatchesPlacementRequirements(executor, protocol.PlacementRequirements{
+		ExecutorProvider:      "sandboxed-command",
+		ExecutionSecurityTier: protocol.ExecutionSandboxedContainer,
+		ProofTier:             protocol.ProofArtifactHash,
+	}) {
+		t.Fatal("matching provider/security/proof requirements should match executor")
+	}
+	for name, req := range map[string]protocol.PlacementRequirements{
+		"provider": {
+			ExecutorProvider:      "service-sandboxed-container",
+			ExecutionSecurityTier: protocol.ExecutionSandboxedContainer,
+			ProofTier:             protocol.ProofArtifactHash,
+		},
+		"security tier": {
+			ExecutorProvider:      "sandboxed-command",
+			ExecutionSecurityTier: protocol.ExecutionMicroVM,
+			ProofTier:             protocol.ProofArtifactHash,
+		},
+		"proof tier": {
+			ExecutorProvider:      "sandboxed-command",
+			ExecutionSecurityTier: protocol.ExecutionSandboxedContainer,
+			ProofTier:             protocol.ProofAttestedReceipt,
+		},
+	} {
+		if protocol.ExecutorMatchesPlacementRequirements(executor, req) {
+			t.Fatalf("%s mismatch unexpectedly matched executor", name)
+		}
+	}
+}
+
 func TestResourceLimitsRejectNegativeValues(t *testing.T) {
 	limits := protocol.ResourceLimits{
 		CPUPercent:     -1,