Senior Security Engineer

• DevSecOps (cloud infrastructure, incident response, platform stability)
• Test Engineering (end-to-end testing, regression pipelines, feature assurance)
• Security Engineering (penetration testing, security advisory, security governance)

The organization has the mandate of ensuring the end-to-end reliability of the GRVT platform, protecting our product's reliability, correctness, and security.

This role is positioned within the Security vertical but works cross-functionally with the entire organization.

• Lead technical assurance activities across projects, including penetration testing, purple teaming, threat modeling, and architecture reviews—ensuring both new and existing systems maintain a high security baseline.
• Serve as the primary security expert within the SRE team, collaborating closely with Ops and QA Engineers and wider teams to design practical, high-impact controls that enhance platform security without compromising delivery velocity.
• Build automation and internal tooling for security visibility, posture monitoring, and enforcement (e.g., secret scanning, anomaly detection, automated test harnesses).
• Monitor, triage, and lead response efforts for security incidents, coordinating across SRE and wider engineering teams.
• Establish and maintain security policies and controls aligned with both engineering best practices and regulatory obligations.
• Educate and empower developers and engineers with actionable guidance, secure coding practices, and feedback cycles—reducing the likelihood of vulnerabilities during development.

• Strong Information Security (InfoSec) background (5 years+), with proven experience in application security across both traditional web stacks and blockchain-based systems.
• Expert knowledge of web application security, including deep familiarity with the OWASP Top 10, to assess and defend GRVT’s off-chain services against common web-based threats.
• Python proficiency — experience building security engineering tools such as automated API security testers, custom static analyzers, or CI/CD-integrated scanners for secrets, misconfigurations, and insecure patterns.
• Proficiency in security testing tools, such as SAST (e.g., SonarQube, Checkmarx, GoSec) and DAST (e.g., OWASP ZAP, Burp Suite).
• Demonstrated ability to quickly understand and analyze unfamiliar codebases, enabling effective secure code review across diverse systems—including web services, infrastructure components, and smart contracts.
• Experience conducting threat modelling exercises, or a strong grasp of threat modeling methodologies to evaluate project risk at the design and implementation levels.
• Smart contract auditing experience, with familiarity in identifying common vulnerabilities in decentralized applications and blockchain systems.
• Bug bounty programs experience, either as a seasoned researcher or by managing an organization’s program.
• Experience with cloud infrastructure (e.g., AWS, GCP). Understanding of container security and DevSecOps principles, with practical experience integrating security into CI/CD pipelines.

• Familiarity with IT security frameworks such as SOC 2 and ISO 27001, and how to align technical controls to compliance objectives.
• Holds or actively pursues professional certifications such as OSCP, OSWE, CISSP, CDP, or CTMP.