Product Security Lead

Cardless•San Francisco, CA

5d•$190,000 - $260,000•Onsite

About The Position

Cardless is the infrastructure that lets consumer brands put credit cards directly in their own product. Instead of sending customers off to a bank's website to manage their card, our platform handles the credit program end-to-end (applications, underwriting, servicing, rewards, compliance), so brands can build the card experience inside their own ecosystem. We power programs for Coinbase, Bilt, Qatar Airways, Alibaba, and others. We've raised $170M to date, most recently a $60M Series C led by Spark Capital. We're hiring a Product Security Lead to drive how we build security into the platform. The work spans authentication, authorization, anti-abuse controls, in-product fraud primitives, and the secure-by-design practices that come with running credit infrastructure for partners of this caliber. The role is hands-on and deeply cross-functional, working with Engineering, Risk, Compliance, Legal, and Data. You'll report to the Head of Engineering.

Requirements

Strong programming skills in Java, Python, or a comparable language — you write production code.
Experience designing or operating secure platform / B2B APIs at scale, especially in multi-tenant environments.
Background in anti-ATO, anti-fraud, or authentication systems at scale (consumer fintech, marketplace, or large consumer platform).
Working knowledge of AWS: IAM, KMS, networking, service-to-service auth.
Comfort with modern AI tooling (Claude, Copilot, and similar) as a daily force multiplier across code review, threat modeling, detection engineering, and security tooling.
Excellent written communication. You'll write threat models, postmortems, and partner-facing security responses.
Comfortable owning the security function in-house while leveraging external specialists as a force multiplier.

Nice To Haves

Fintech, payments, or other regulated environment experience.
Threat modeling methodology background (STRIDE, attack trees, or your own).
Experience working alongside or building for a risk / fraud operations team.
Experience operating a bug bounty or vulnerability disclosure program.

Responsibilities

Own the security model for our partner-facing APIs: authentication, authorization, tenant isolation, abuse prevention, signing, and audit logging.
Drive a coherent auth strategy across services and surfaces, including step-up auth for sensitive actions and a strong-auth roadmap (passkeys and beyond).
Build the device telemetry, behavioral signals, and velocity primitives that fraud and risk functions depend on.
Be the secure-by-design partner with Engineering — sit in on architecture reviews before features ship, write the threat models, own the tradeoffs.
Own secure SDLC: SAST/DAST, dependency scanning, secret detection, and the security tooling engineers interact with daily.
Coordinate with our infrastructure team to improve our security posture across the stack: from infrastructure, to supply chain, to first-party applications, to third-party dependencies and SaaS platforms.
Be the technical authority on sensitive payment data. Keep the footprint small and well-defined as the platform grows.
Lead incident response on security events (containment, forensics, comms, blameless postmortems) and drive vulnerability remediation across services.
Own the relationship with our external security architecture partner: set priorities, scope engagements, integrate findings into our roadmap.
Serve as the technical counterpart to ensure compliance, translating SOC 2, PCI DSS, and other security frameworks into scalable engineering solutions and ensuring in-product controls are effective in practice - not just on paper.