Security Engineer

Job Overview

This hands-on role focuses on securing products in a startup ecosystem, including a decentralized exchange, user-facing application, and stablecoin. The position emphasizes blue team activities such as testing systems, hunting vulnerabilities, threat modeling, and collaborating with engineering teams to address security gaps. Reporting to the Security Lead, the role involves daily interaction with Backend, Frontend, DevOps, and Blockchain teams in a fast-paced environment backed by leading enterprises.

Responsibilities

• Conduct hands-on security testing of applications, APIs, and infrastructure, simulating attack scenarios to identify vulnerabilities before external threats.
• Build threat models for new services and features, particularly for trading engines, order books, and transaction flows, to identify attack surfaces and harden systems.
• Own the vulnerability lifecycle from discovery to remediation, including severity assessment, developer guidance, and fix verification.
• Manage vulnerability disclosure and bug bounty programs by validating reports, assessing severity, and communicating with researchers.
• Assess risks of AI tools used in engineering, such as data exfiltration and prompt injection, and maintain security baselines for AI-powered tools.

Qualifications

• 5+ years of hands-on experience in application security, penetration testing, or product security, with demonstrated ability to find vulnerabilities through manual testing, code review, or simulations.
• Practical experience with exchange or trading platform security, preferably DEX or DeFi, including understanding of order book mechanics, transaction flows, and wallet security.
• Scripting and automation skills to scale security efforts across the stack.
• Experience triaging vulnerabilities and providing clear remediation guidance to developers.
• Strong written English communication for tickets, reports, and researcher interactions.
• Strong plus: Experience with cloud infrastructure security, container security, code review in TypeScript/JavaScript, Solidity, or Rust, and software supply chain security.