Security Engineer - Product
Responsibilities
- Own the security model for our partner-facing APIs: authentication, authorization, tenant isolation, abuse prevention, signing, and audit logging.
- Drive a coherent auth strategy across services and surfaces, including step-up auth for sensitive actions and a strong-auth roadmap (passkeys and beyond).
- Build the device telemetry, behavioral signals, and velocity primitives that fraud and risk functions depend on.
- Be the secure-by-design partner with Engineering — sit in on architecture reviews before features ship, write the threat models, own the tradeoffs.
- Own secure SDLC: SAST/DAST, dependency scanning, secret detection, and the security tooling engineers interact with daily.
- Coordinate with our infrastructure team to improve our security posture across the stack: from infrastructure, to supply chain, to first-party applications, to third-party dependencies and SaaS platforms.
- Be the technical authority on sensitive payment data. Keep the footprint small and well-defined as the platform grows.
- Lead incident response on security events (containment, forensics, comms, blameless postmortems) and drive vulnerability remediation across services.
- Own the relationship with our external security architecture partner: set priorities, scope engagements, integrate findings into our roadmap.
- Serve as the technical counterpart to ensure compliance, translating SOC 2, PCI DSS, and other security frameworks into scalable engineering solutions and ensuring in-product controls are effective in practice - not just on paper.
Requirements
Strong programming skills in Java, Python, or a comparable language — you write production code.
Experience designing or operating secure platform / B2B APIs at scale, especially in multi-tenant environments.
Background in anti-ATO, anti-fraud, or authentication systems at scale (consumer fintech, marketplace, or large consumer platform).
Working knowledge of AWS: IAM, KMS, networking, service-to-service auth.
Comfort with modern AI tooling (Claude, Copilot, and similar) as a daily force multiplier across code review, threat modeling, detection engineering, and security tooling.
Excellent written communication. You'll write threat models, postmortems, and partner-facing security responses.
Comfortable owning the security function in-house while leveraging external specialists as a force multiplier.
What We Look For
Fintech, payments, or other regulated environment experience.
Threat modeling methodology background (STRIDE, attack trees, or your own).
Experience working alongside or building for a risk / fraud operations team.
Experience operating a bug bounty or vulnerability disclosure program.
Why Cardless
You'll lead product security for a platform that powers some of the most recognizable card programs in the world.
The work moves real dollars and real trust from the moment you ship.
You'll have a real seat in every major architecture conversation, executive visibility, and an external security architecture partner you can lean on.
Benefits
- Meaningful start-up equity
- 100% health, vision & dental primary coverage
- 75% health, vision & dental dependent coverage
- Catered lunches and dinners
- Commuter benefit
- Parental leave
- Relocation assistance
Compensation
This role has an annual starting salary range of $190,000–$260,000 + equity + benefits (see above).