Product Security Engineer

Alpaca is a US-headquartered self-clearing broker-dealer and brokerage infrastructure for stocks, ETFs, options, crypto, fixed income, 24 / 5 trading, and more. Our recent Series C funding round brought our total investment to over $170 million, fueling our ambitious vision. Alpaca serves hundreds of financial institutions across 40 countries with our institutional-grade APIs, including broker-dealers, investment advisors, wealth managers, hedge funds, and crypto exchanges, totaling over 6 million brokerage accounts. Our global team is a diverse group of experienced engineers, traders, and brokerage professionals focused on opening financial services to everyone. We are committed to open-source contributions and fostering a vibrant community, continuously enhancing our award-winning, developer-friendly API and the robust infrastructure behind it. Our investors include Portage Ventures, Spark Capital, Tribe Capital, Social Leverage, Horizons Ventures, Unbound, SBI Group, Derayah Financial, Elefund, and Y Combinator.

Our Team Members :

We are a dynamic team of 230+ globally distributed members who work from around the world, including the USA, Canada, Japan, Hungary, Nigeria, Brazil, the UK, and beyond. We are seeking passionate individuals who align with our core values — Stay Curious, Have Empathy, and Be Accountable — and are ready to make a significant impact. We encourage you to apply.

We are seeking an experienced Product Security Engineer who can help expand our Security efforts and safeguard Alpaca\'s assets from evolving cyber threats to ensure the security and integrity of our products.

In this role, you will help ensure the security of Alpaca\'s products and infrastructure, protecting our APIs, trading platforms, and customer data from threats. You\'ll collaborate with engineering, product, and operations teams to embed security best practices into our development lifecycle, harden our systems, and respond to emerging threats. If you\'re excited about security, cutting-edge financial tech, and thrive in a fast-paced environment, we would love to hear from you.

The role requires a deep understanding of Cybersecurity principles, application security, DevSecOps, incident response, cloud security, offensive security, and proactive threat detection with a proven track record of managing security risks and cross-functional collaboration. The Security Team is 100% distributed and remote. This role reports directly to the CISO.

• Collaborate with Product, Engineering, and DevOps to embed security into our API and platform development lifecycle, working with Engineering and Product teams
• Perform threat modeling and security reviews to spot risks early and keep our products secure
• Identify, triage, and remediate security vulnerabilities in our codebase, infrastructure, and third-party dependencies, and help respond to and manage our bug bounty program
• Build and tweak automation tools for security testing and monitoring
• Participate in security incident response efforts, including investigation, containment, and post-mortem analysis
• Harden our cloud systems (Google Cloud, Kubernetes) and products to meet industry standards and protect against evolving threats
• Team up with product and DevOps crews to make security seamless without slowing us down
• Promote a security-first mindset by providing guidance, training, and documentation on secure coding practices and emerging threats
• Assist with compliance audits and assessments as necessary
• Conduct security research and contribute to the development of new security tools and techniques

• Excited about Alpaca\'s mission and what we\'re building
• 6-8 years of mixed experience in security operations, security engineering, product security, and DevSecOps
• Proficiency in at least one programming language (e.g., Go, Python) and the ability to review and write secure code
• Experience with API security (e.g., OAuth, JWT, WAF, rate limiting)
• Experience with cloud security (e.g., Google Cloud, AWS) including DevSecOps and embedding security in the CI / CD pipeline
• A strong understanding of how to secure containerized environments (e.g., Kubernetes, Docker)
• Familiarity with security tools such as static code analyzers, vulnerability scanners, and penetration testing frameworks
• Knowledge of common security vulnerabilities (e.g., OWASP Top 10) and mitigation strategies
• Strong analytical and problem-solving skills
• Excellent communication skills and a commitment to collaboration across the Firm
• Comfortable thriving in a distributed, remote-first team with asynchronous collaboration across time zones
• A curious mindset, empathy for users and teams, and a commitment to accountability — aligned with Alpaca\'s core values of Stay Curious, Have Empathy, and Be Accountable
• Available for on-call rotations and after-hours responses as needed

• Bachelor\'s degree in Information Technology or a related field
• Security-related certifications such as CISSP, GIAC, OSCP, CRTO, Kubernetes certifications are a plus
• Experience in securing and monitoring APIs
• Understanding of financial and privacy regulations
• Experience in the financial services industry
• Business acumen to balance stakeholder needs with technology feasibility and budget constraints

• Competitive Salary & Stock Options
• Health Benefits
• New Hire Home-Office Setup: One-time USD 500
• Monthly Stipend: USD 150 per month via a Brex Card

Alpaca is proud to be an equal opportunity workplace dedicated to pursuing and hiring a diverse workforce.

Recruitment Privacy Policy