Product Security Engineer at Alpaca

Product Security Engineer - Remote

Alpaca is a US-headquartered self-clearing broker-dealer and provider of brokerage infrastructure for stocks, ETFs, options, crypto, fixed income, and more. Backed by leading investors, Alpaca serves institutional and retail customers across 40+ countries and supports millions of brokerage accounts. Our global, distributed team builds developer-friendly APIs and resilient trading infrastructure. We are hiring a Product Security Engineer to help scale our security program, protect our APIs and trading platforms, and strengthen our cloud and containerized environments.

Your role

As a Product Security Engineer at Alpaca, you will embed security into the product development lifecycle, harden cloud and platform infrastructure, and help the company respond to evolving threats. You will work closely with engineering, product, and operations teams, report to the CISO, and participate in on-call rotations as needed.

Key responsibilities

• Collaborate with Product, Engineering, and DevOps to integrate security practices into API and platform development.
• Perform threat modeling and security reviews to identify risks early in design and development.
• Identify, triage, and remediate vulnerabilities across code, infrastructure, and third-party dependencies, and help manage the bug bounty program.
• Develop and maintain automation tools for security testing and continuous monitoring.
• Participate in incident response, including investigation, containment, and post-mortem analysis, driving continuous improvement.
• Harden cloud systems and containerized environments to industry standards, focusing on Google Cloud and Kubernetes.
• Provide training, documentation, and guidance to engineering teams on secure coding practices and threat mitigation.
• Assist with compliance audits and assessments as required, and conduct security research to advance internal tooling and techniques.

Must-have qualifications

• 6-8 years of combined experience across security operations, security engineering, product security, or DevSecOps.
• Proficiency in at least one programming language such as Go or Python, with the ability to review and write secure code.
• Experience with API security concepts and controls, such as OAuth, JWT, web application firewalls, and rate limiting.
• Hands-on experience securing cloud environments, particularly Google Cloud and/or AWS, and embedding security into CI/CD pipelines.
• Strong knowledge of container security, including Kubernetes and Docker hardening.
• Familiarity with security tooling such as static analysis, vulnerability scanners, and penetration testing frameworks.
• Knowledge of common application vulnerabilities, for example OWASP Top 10, and practical mitigation strategies.
• Excellent analytical, communication, and cross-functional collaboration skills, and comfort working in a distributed remote team across time zones.
• Willingness to participate in on-call rotations and respond to after-hours incidents as required.

Nice-to-have

• Bachelor's degree in Information Technology or related field.
• Security certifications such as CISSP, GIAC, OSCP, CRTO, or Kubernetes security credentials.
• Experience securing and monitoring APIs at scale, and familiarity with financial or privacy regulations.
• Prior experience in financial services or fintech, and business acumen to balance stakeholder tradeoffs.

What we offer

• Competitive salary and stock options.
• Health benefits.
• New hire home-office setup: one-time USD 500.
• Monthly stipend: USD 150 per month.
• Remote-first, distributed team with global collaboration.

How to apply

Apply via the job page. The application includes questions about past security incidents, collaboration with product and engineering to embed security, and examples of vulnerability identification and remediation. You will be asked to provide Github/GitLab and LinkedIn profiles, and confirm your working location and timezone.

Equal opportunity and privacy

Alpaca is an equal opportunity workplace. Recruitment privacy details and additional company information are available on the application page.