Description

At Alpaca, we're revolutionizing financial services, and safeguarding our platform is paramount. We're seeking an experienced Product Security Engineer to join our growing Security team and play a critical role in protecting Alpaca's assets from the ever-evolving landscape of cyber threats, ensuring the security and integrity of our innovative products.

In this impactful role, you will be a key contributor to ensuring the security of Alpaca’s cutting-edge products and robust infrastructure, diligently protecting our APIs, high-performance trading platforms, and sensitive customer data from a wide range of threats. You will collaborate closely and proactively with our talented engineering, product, and operations teams to seamlessly embed security best practices throughout our software development lifecycle, rigorously harden our critical systems, and effectively respond to emerging security incidents.

If you are deeply passionate about security, excited by the challenges of cutting-edge financial technology, and thrive in a dynamic, fast-paced environment, we would be thrilled to hear from you.

This role demands a comprehensive understanding of core Cybersecurity principles, deep expertise in application security, proficiency in DevSecOps methodologies, experience in incident response, strong knowledge of cloud security best practices, familiarity with offensive security concepts, and a proactive approach to threat detection. A proven track record of effectively managing security risks and fostering seamless cross-functional collaboration is essential.

The Security Team at Alpaca is 100% distributed and remote, offering flexibility and autonomy. This position reports directly to the Chief Information Security Officer (CISO).

Things You'll Get To Do

• Collaborate closely and proactively with Product, Engineering, and DevOps teams to deeply embed security principles and practices into our API and platform development lifecycle, working hand-in-hand to build secure products from the ground up.
• Conduct thorough threat modeling exercises and perform comprehensive security reviews to proactively identify potential risks early in the development process, ensuring our products remain secure by design.
• Identify, effectively triage, and drive the remediation of security vulnerabilities discovered within our codebase, critical infrastructure, and third-party dependencies. You will also play a key role in responding to and managing our bug bounty program.
• Design, build, and continuously refine automation tools to enhance our security testing and proactive monitoring capabilities.
• Actively participate in security incident response efforts, including detailed investigation, effective containment strategies, and thorough post-mortem analysis, to ensure rapid resolution of incidents and drive continuous improvement of our security posture.
• Implement and maintain robust security hardening measures for our cloud-based systems (Google Cloud, Kubernetes) and products to consistently meet stringent industry standards and effectively protect against evolving threats.
• Partner effectively with product and DevOps teams to integrate security seamlessly into their workflows without hindering development velocity or innovation.
• Champion a security-first mindset across the organization by providing clear guidance, comprehensive training, and up-to-date documentation to team members on secure coding practices and emerging threat landscapes.
• Assist with compliance audits and security assessments as necessary, providing technical expertise and support.
• Conduct proactive security research and contribute to the ongoing development and refinement of new security tools and innovative techniques.

Who You Are (Must-Haves)

• Genuine excitement and enthusiasm for Alpaca’s mission to democratize finance and the innovative products we are building.
• A solid 6-8 years of well-rounded experience spanning security operations, security engineering, product security principles, and DevSecOps methodologies.
• Demonstrated proficiency in at least one modern programming language (e.g., Go, Python) and a strong ability to review and contribute to secure code development.
• Proven experience with API security best practices and technologies (e.g., OAuth, JWT, WAF, rate limiting).
• Hands-on experience with cloud security principles and platforms (e.g., Google Cloud, AWS), including the implementation of DevSecOps practices and embedding security controls within the CI/CD pipeline.
• A strong foundational understanding of how to effectively secure containerized environments and orchestration platforms (e.g., Kubernetes, Docker).
• Familiarity with a range of security tools, including static code analyzers, dynamic vulnerability scanners, and penetration testing frameworks.
• In-depth knowledge of common security vulnerabilities (e.g., OWASP Top 10) and effective mitigation strategies.
• Strong analytical and problem-solving skills with a meticulous attention to detail.
• Excellent written and verbal communication skills1 and a strong commitment to collaborative work across all teams within the Firm.
• Comfortable and effective at thriving within a distributed, remote-first team environment, with the ability to collaborate asynchronously across different time zones.
• A naturally curious mindset, genuine empathy for our users and internal teams, and a strong commitment to accountability – aligning with Alpaca’s core values of "Stay Curious," "Have Empathy," and "Be Accountable."
• Willingness and availability to participate in on-call rotations and respond to after-hour security incidents when necessary.

Who You Might Be (Nice-to-Haves)

• Bachelor’s degree in Information Technology or a closely related field.
• Relevant security certifications such as CISSP, GIAC certifications, OSCP, CRTO, or Certified Kubernetes Security Specialist (CKS) are considered a significant plus.
• Proven experience in securing and effectively monitoring APIs in production environments.
• A solid understanding of relevant financial and privacy regulations impacting the financial services industry.
• Previous experience working within the fast-paced and dynamic financial services industry.
• Strong business acumen, with the ability to effectively balance security considerations with stakeholder needs, technical feasibility, and budget constraints.

Note: If you feel strongly that you have what it takes for this role but don’t check 100% of the boxes—that’s okay—we encourage you to apply anyway and highlight what you can bring to the table.