New

Product Security Engineer

Remote - Global - Anywhere

Who We Are:

Alpaca is a US California headquartered brokerage infrastructure technology company and self-clearing broker-dealer, delivering execution and custody solutions for Stocks, ETFs, Options, Cryptocurrencies, and more, and has raised over $170 million in funding. Amongst our subsidiaries, Alpaca is a licensed financial services company in multiple countries, and we serve hundreds of financial institutions globally such as broker-dealers, investment advisors, hedge funds, and crypto exchanges.

Alpaca’s globally distributed team members bring in diverse experiences such as engineers, traders, and brokerage professionals to achieve our Mission of opening financial services to everyone on the planet. We are also deeply committed to open-source contributions and fostering a vibrant community. We will continue to enhance and improve our award-winning developer-friendly API and the infrastructure behind it.



Our Team Members:

We’re a team of 150+ globally distributed members who love working from our favorite places worldwide. Our team spans the USA, Canada, Japan, Hungary, Nigeria, Brazil, the United Kingdom, and more!

We’re looking for candidates eager to join Alpaca’s growing organization, who are excited about our Mission of “Open financial services to everyone on the planet and share our Values of “Stay Curious,” “Have Empathy,” and “Be Accountable.”

 

Your Role:

We are seeking an experienced Product Security Engineer who can help expand our Security efforts and play a critical role in safeguarding Alpaca’s assets from evolving cyber threats to ensure the security and integrity of our products. 

In this role, you will play a key part in ensuring the security of Alpaca’s products and infrastructure, protecting our APIs, trading platforms, and customer data from threats. You’ll collaborate closely with our engineering, product, and operations teams to embed security best practices into our development lifecycle, harden our systems, and respond to emerging threats. If you’re excited about security, cutting edge financial tech, and thrive in a fast-paced environment, we’d love to hear from you. 

The role requires a deep understanding of Cybersecurity principles, application security, DevSecOps, incident response, cloud security, offensive security, and proactive threat detection with a proven track record of managing security risks and cross functional collaboration. The Security Team is 100% distributed and remote. This role will be reporting directly to the CISO.

 

Things You Get To Do:

  • Collaborate with Product, Engineering, and DevOps to embed security into our API and platform development lifecycle, working hand-in-hand with our Engineering and Product teams
  • Perform threat modeling and security reviews to spot risks early and keep our products secure
  • Identify, triage, and remediate security vulnerabilities in our codebase, infrastructure, and third-party dependencies, and help respond and manage our bug bounty program
  • Build and tweak automation tools for security testing and monitoring
  • Participate in security incident response efforts, including investigation, containment, and post-mortem analysis, to ensure rapid resolution and continuous improvement
  • Harden our cloud systems (Google Cloud, Kubernetes) and products to meet industry standards and protect against evolving threats
  • Team up with product and DevOps crews to make security seamless without slowing us down
  • Promote a security-first mindset by providing guidance, training, and documentation to team members on secure coding practices and emerging threats
  • Assist with compliance audits and assessments as necessary
  • Conduct security research and contribute to the development of new security tools and techniques.

 

Who You Are (Must-Haves):

  • Excited about Alpaca’s mission and what we’re building
  • 6-8 years of mixed experience in a security operations, security engineering, product security, and DevSecOps
  • Proficiency in at least one programming language (e.g., Go, Python etc.) and the ability to review and write secure code
  • Experience with API security (e.g., OAuth, JWT, WAF, rate limiting) 
  • Experience with cloud security (e.g., Google Cloud, AWS) including DevSecOps and embedding security in the CI/CD pipeline
  • A strong understanding of how to secure containerized environments (e.g., Kubernetes, Docker)
  • Familiarity with security tools such as static code analyzers, vulnerability scanners, and penetration testing frameworks
  • Knowledge of common security vulnerabilities (e.g., OWASP Top 10) and mitigation strategies
  • Strong analytical and problem-solving skills
  • Excellent communication skills and committed to work collaboratively across the Firm
  • Comfortable thriving in a distributed, remote-first team with asynchronous collaboration across time zones
  • A curious mindset, empathy for our users and teams, and a commitment to accountability—aligned with Alpaca’s core values of "Stay Curious," "Have Empathy," and "Be Accountable."
  • Available for on-call rotations and after hour responses as needed

 

 Who You Might Be (Nice-to-Haves):  

  • Bachelor’s degree in Information Technology or a related field
  • Security related certifications such as CISSP, GIAC, OSCP, CRTO, K8s is a plus
  • Experience in securing and monitoring APIs
  • Understanding of financial and privacy regulations
  • Experience in the financial services industry
  • Business acumen to be able to balance tradeoffs between stakeholders and technology feasibility and budget constraints

How We Take Care of You:

  • Competitive Salary & Stock Options
  • Benefits: Health benefits start on day 1. In the US this includes Medical, Dental, Vision. In Canada, this includes supplemental health care. In Japan, you are offered local benefits. Internationally, this includes a stipend value to offset medical costs.   
  • New Hire Home-Office Setup: One-time USD $500
  • Monthly Stipend: USD $150 per month via a Brex Card
  • Work with awesome hard working people, super smart and cool clients and innovative partners from around the world

Alpaca is proud to be an equal opportunity workplace dedicated to pursuing and hiring a diverse workforce.

Recruitment Privacy Policy

Apply for this job

*

indicates a required field

Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

Cover Letter

Accepted file types: pdf, doc, docx, txt, rtf

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Alpaca ’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Select...
Select...
Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Select...

Voluntary Self-Identification of Disability

Form CC-305
Page 1 of 1
OMB Control Number 1250-0005
Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Select...

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.