Product Security Engineer

Alpaca is a US-headquartered self-clearing broker-dealer and brokerage infrastructure for stocks, ETFs, options, crypto, fixed income, 24/5 trading, and more. Our recent Series C funding round has brought total investment to over $170 million, fueling our ambitious vision. Alpaca serves hundreds of financial institutions across 40 countries with our institutional-grade APIs, including broker-dealers, investment advisors, wealth managers, hedge funds, and crypto exchanges, totaling over 6 million brokerage accounts. Our global team is a diverse group of experienced engineers, traders, and brokerage professionals advancing our mission of opening financial services to everyone on the planet. We are committed to open-source contributions and fostering a vibrant community around our award-winning, developer-friendly API and robust infrastructure. Alpaca is backed by global investors including Portage Ventures, Spark Capital, Tribe Capital, Social Leverage, Horizons Ventures, Unbound, SBI Group, Derayah Financial, Elefund, and Y Combinator.

Our Team: We are a dynamic, 230+ member globally distributed team spanning the USA, Canada, Japan, Hungary, Nigeria, Brazil, the UK, and beyond. We are seeking passionate individuals who align with our core values—Stay Curious, Have Empathy, and Be Accountable—and who are ready to make a significant impact.

We are seeking an experienced Product Security Engineer to expand our security efforts and safeguard Alpaca’s assets from evolving cyber threats, ensuring the security and integrity of our products. You will collaborate with engineering, product, and operations teams to embed security best practices into the development lifecycle, harden systems, and respond to emerging threats. If you’re excited about security, cutting-edge financial tech, and thrive in a fast-paced environment, we’d love to hear from you.

The role requires a deep understanding of cybersecurity principles, application security, DevSecOps, incident response, cloud security, offensive security, and proactive threat detection, with a proven track record of managing security risks and cross-functional collaboration. The Security Team is fully distributed and remote. This role reports directly to the CISO.

• Collaborate with Product, Engineering, and DevOps to embed security into our API and platform development lifecycle, working with Engineering and Product teams
• Perform threat modeling and security reviews to identify risks early
• Identify, triage, and remediate security vulnerabilities in code, infrastructure, and third-party dependencies; support bug bounty program
• Build and tune automation tools for security testing and monitoring
• Participate in security incident response, including investigation, containment, and post-mortem analysis
• Harden cloud systems (Google Cloud, Kubernetes) and products to meet industry standards
• Work with product and DevOps teams to make security seamless without slowing down delivery
• Promote a security-first mindset with guidance, training, and documentation on secure coding practices
• Assist with compliance audits and assessments as necessary
• Conduct security research and contribute to the development of new tools and techniques

• Excited about Alpaca’s mission and what we are building
• 6–8 years of mixed experience in security operations, security engineering, product security, and DevSecOps
• Proficiency in at least one programming language (e.g., Go, Python) and ability to review and write secure code
• Experience with API security (OAuth, JWT, WAF, rate limiting)
• Experience with cloud security (Google Cloud, AWS), including DevSecOps and embedding security in CI/CD
• Strong understanding of securing containerized environments (Kubernetes, Docker)
• Familiarity with security tools such as static code analyzers, vulnerability scanners, and penetration testing frameworks
• Knowledge of common vulnerabilities (e.g., OWASP Top 10) and mitigation strategies
• Strong analytical and problem-solving skills; excellent communication and collaboration across the firm
• Comfortable thriving in a distributed, remote-first team with asynchronous collaboration
• Curious mindset, empathy for users and teams, and accountability aligned with Alpaca’s core values
• Available for on-call rotations and after-hours responses as needed

• Bachelor’s degree in Information Technology or a related field
• Security certifications such as CISSP, GIAC, OSCP, CRTO
• Experience securing and monitoring APIs
• Understanding of financial and privacy regulations
• Experience in the financial services industry
• Business acumen to balance stakeholder needs with technology feasibility

• Competitive salary & stock options
• New hire home-office setup: one-time USD 500
• Monthly stipend: USD 150 per month via Brex Card

Alpaca is proud to be an equal opportunity workplace dedicated to pursuing and hiring a diverse workforce.

Interested in building your career at Alpaca? Get future opportunities sent straight to your email.

We invite candidates to respond to voluntary self-identification questions for government reporting purposes. Completion is optional and will not affect hiring decisions. Any information provided is confidential and used solely for compliance reporting. For more details, see our equal employment opportunity policy.