Senior Security Engineer

About The Position

Nice To Haves

• Deep application security experience: threat modeling, OWASP Top 10 (and beyond), secure code review, SAST/DAST tooling, and working directly with engineers to fix what you find.
• Strong AWS security experience across IAM, VPC, GuardDuty, Security Hub, CloudTrail, KMS, Secrets Manager, and WAF.
• Terraform and/or Pulumi proficiency - you can read and contribute to infrastructure-as-code, and you understand the security implications of what you’re reviewing.
• Hands-on SOC 2 experience: you’ve designed controls, collected evidence, and managed an auditor relationship - not just checked boxes.
• CI/CD security experience: integrating security tooling into developer pipelines in a way engineers actually appreciate.
• Fintech or regulated industry experience - you understand the intersection of security, compliance, and data privacy in a lending or financial services context.
• Collaborative mindset - you build relationships with engineering rather than operating as an external reviewer or blocker. You measure success by how secure the product is, not how many policies you’ve issued.
• Identity and access experience: SSO/SAML, SCIM, MFA enforcement, hardware security keys, and access review programs.
• Familiarity with data security for sensitive personal and financial data - encryption at rest and in transit, data classification, and minimization.
• Strong written communication - you document decisions, write clear runbooks, and communicate security risks to non-security audiences without FUD.
• Scripting and automation chops (Python, Bash, or similar) - you build tools to make security scalable, not just write policies.

Responsibilities

• Lead and drive Loancrate’s security posture across application security, cloud security, identity, and compliance - partnering closely with engineering and leadership.
• Perform regular threat modeling, vulnerability assessments, and penetration testing - and work directly with engineering to remediate findings fast.
• Build and maintain security tooling and automation: SAST/DAST, dependency scanning, container scanning, SBOM management, and secret detection integrated into CI/CD.
• Harden our AWS environment: IAM, VPC boundaries, secrets management (AWS Secrets Manager), audit logging, GuardDuty, Security Hub, KMS key management, and DDoS protection.
• Own our SOC 2 Type II program - design practical controls, automate evidence collection where possible, manage the auditor relationship, and drive continuous improvement.
• Lead or coordinate incident response for security events - runbooks, postmortems, and clear communication to customers and leadership when needed.
• Establish and maintain a secure SDLC - lightweight design reviews, threat modeling in planning, and developer enablement (training, docs, examples) that scales.
• Maintain a risk register - tracking identified threats, ownership, and remediation status so nothing falls through the cracks.
• Partner with Operations on endpoint and device security: laptop hardening, MDM policy, hardware key rollout, and offboarding access revocation.
• Manage third-party and vendor security risk, including due diligence for new integrations and annual reviews of existing vendors.
• Own identity and access infrastructure: SSO, MFA enforcement (including hardware key policies), SCIM provisioning, and access reviews.
• Contribute to security documentation, internal runbooks, and team education - you make the secure path the easy path.