Key skills
AWSCloudCypressDockerEC2GrafanaJavaScriptJestKubernetesNode.jsPrometheusPythonReactSeleniumTerraformVaultWeb3GoBashGitHub ActionsPulumiECSEKSCloudFormationLambdaS3RDSCloudFrontIAMCloudWatchPostmanGitHubDeFiCI/CDCommunicationRemote WorkOWASPPenetration TestingNetwork SecurityWAF
About this role
Role Overview
- Own the security posture across all products: Legacy, Trading Bot, and future platforms. If something gets breached, it is your problem. If nothing gets breached, it is because of your work.
- Conduct regular penetration testing, vulnerability assessments, and threat modeling aligned with OWASP standards and methodologies
- Ensure full coverage of the OWASP Top 10 in application security testing, code reviews, and deployment checks
- Perform security-focused code reviews across frontend, backend, and infrastructure code, catching what standard code reviews miss
- Implement and manage secrets management (Vault, AWS Secrets Manager, or KMS), access controls, and least-privilege policies
- Build and maintain incident response playbooks. When something breaks, you lead the response, run the post-mortem, and ship the fix
- Stay ahead of Web3 and crypto-specific attack vectors: phishing campaigns, wallet exploits, API key compromises, supply chain attacks, and social engineering
- Manage and coordinate external security audits and penetration tests from third-party firms
- Design and implement test strategies across all products: unit tests, integration tests, end-to-end tests, API tests, and regression suites
- Build and maintain automated testing frameworks and CI quality gates that prevent broken code from reaching production
- Define and track quality metrics: test coverage, flakiness rate, regression detection latency, and bug escape rate
- Write and execute security test cases: authentication flows, authorization controls, input validation, API abuse scenarios, and edge cases around financial data
- Perform both white-box and black-box testing, leveraging full codebase access to catch issues that surface-level QA would miss
- Test across the full stack: frontend UI, backend APIs, database queries, third-party integrations, and on-chain interactions
- Maintain and improve cloud infrastructure on AWS using Infrastructure as Code (Terraform or CloudFormation)
- Own CI/CD pipelines (GitHub Actions preferred): automated testing, security scanning, linting, and deployment
- Harden infrastructure: network security, IAM policies, container security, and environment isolation
- Build logging, monitoring, and alerting across all services (CloudWatch, Prometheus, Grafana, or equivalent)
- Ensure audit trails for user actions, system changes, and access events
- Manage production reliability, incident response, and cost optimization
- Contribute production code across frontend and backend, bringing a security-first mindset to every feature you build
- Build features, fix bugs, and ship improvements alongside the engineering team
- Every line you write should make the product better and harder to break: input validation, error handling, authentication, and data protection by default
- Participate in architecture discussions and code reviews, advocating for testability, reliability, and security in every decision
Requirements
- 5+ years in software engineering roles with meaningful, hands-on security and QA experience. We will verify this. If your security experience is theoretical, this is not the right fit.
- Fullstack development experience: you can build and ship features across frontend (React or equivalent) and backend (Node.js, Python, Go, or equivalent)
- Hands-on penetration testing and vulnerability assessment experience across web applications, APIs, and cloud infrastructure
- Strong working knowledge of OWASP standards, including the OWASP Top 10, OWASP Testing Guide, and OWASP secure coding practices
- Experience building automated test frameworks and integrating testing into CI/CD pipelines
- AWS expertise (EC2, ECS/EKS, Lambda, VPC, IAM, S3, RDS, CloudFront, WAF)
- Infrastructure as Code experience (Terraform, CloudFormation, or Pulumi)
- Container technologies: Docker and Kubernetes in production environments
- Scripting and automation proficiency in Bash and Python
- Experience with secrets management tools (HashiCorp Vault, AWS Secrets Manager, or similar)
- Familiarity with security and testing tools (Burp Suite, OWASP ZAP, Selenium, Cypress, Jest, Postman, or equivalent)
- Strong communication skills: you can explain security risks and quality tradeoffs clearly to non-technical stakeholders.
Nice-to-Have
- Security certifications: OSCP, CISSP, CompTIA Security+, AWS Security Specialty, or equivalent
- Experience at a crypto, DeFi, Web3, or fintech product company (Coinbase, Phantom, Stripe, Casa, MetaMask, Zerion, Ramp, or similar)
- Familiarity with Web3-specific security concerns: wallet security, key management, on-chain monitoring, phishing mitigation
- SDET background or experience in a hybrid development-and-testing role
- Experience testing financial systems: payment flows, ledger integrity, double-spend prevention, or transaction monitoring
- Experience implementing zero-trust architectures
- Bug bounty participation, CVE publications, or contributions to open-source security tooling
Tech Stack
- AWS
- Cloud
- Cypress
- Docker
- EC2
- Grafana
- JavaScript
- Jest
- Kubernetes
- Node.js
- Prometheus
- Python
- React
- Selenium
- Terraform
- Vault
- Web3
- Go
Benefits
- Competitive salary + performance-based incentives tied to retention & LTV improvement
- Direct exposure to founders
- Team Offsites
- Remote work
- High ownership, high-impact role