Senior Product Security Engineer - Blockchain

Company: Blockchain

Location: London, GB (Remote)

Employment Type: Full-time

About the Company

Blockchain is connecting the world to the future of finance. As the most trusted and fastest-growing global crypto company, it helps millions of people worldwide safely access cryptocurrency. Since its inception in 2011, Blockchain has earned the trust of over 90 million wallet holders and more than 40 million verified users, facilitating over $1 trillion in crypto transactions.

About the Role

You will operate the Product Security programme for Blockchain.com's internally-developed products across Consumer, OTC and MRE lines. This is a senior, hands-on role where you'll design and run the secure development lifecycle, lead threat modeling and architecture review, own the security debt lifecycle for product engineering teams, and architect the automated pipelines that protect billions in transaction volume. You will embed with product and engineering teams, convert technical findings into business-prioritized remediation, and lift developer capabilities so security is delivered by code and process.

What You'll Do

• Act as a senior security engineer for different product lines like Consumer and OTC, owning the security gates for major feature releases and ensuring security is integrated from the design phase
• Operate and improve the secure development lifecycle, including orchestrating SAST/SCA/DAST, streamlining SARIF ingestion, PR review standards, CI/CD security automation, and vulnerability triage workflows
• Research, architect, and safely embed cutting-edge AI utilities and Large Language Model (LLM) agents directly into the secure development lifecycle
• Lead STRIDE/attack-tree threat models for sensitive flows including authentication, payment, custody, reconciliation and sign off on security architecture for critical designs
• Translate technical risks and regulatory demands into clear security policies, owning the creation and upkeep of Application Security Standards, reference architectures, and compliance-driven secure coding baselines
• Oversee the technical triage and remediation strategy for the Bug Bounty program, turning external researcher findings into internal architectural hardening projects
• Perform deep-dive manual code reviews of security-sensitive Pull Requests, mentor engineers on secure coding patterns, and provide pragmatic remediation guidance
• Conduct deep-dive manual and automated code reviews on highly sensitive Java and Kotlin backend Pull Requests
• Produce data-driven Security Debt packs and negotiate remediation into engineering roadmaps with Product Owners and Engineering leadership
• Define application runtime signals (business-logic anomalies, auth anomalies, reconciliation mismatches) and work with SecOps to instrument logs and alerts
• Build and maintain product-level test harnesses, fuzzing/property tests and CI checks to prevent regressions for business-critical flows
• Provide product-level Incident Response expertise including test forensic runbooks, support reproduction of payment/settlement incidents, and advise on containment/remediation
• Define and own Product Security metrics (e.g., MTTR for critical vulnerabilities, security debt burn-down, and defect density), translating these KPIs into high-level risk reports for leadership
• Coach junior product security engineers and security champions, assisting in defining hiring standards and capability plans

Requirements

Must-Haves

• 4+ years total security engineering experience with at least 3+ years focused specially in application/product security or equivalent
• Experience with Web, Mobile, Cloud, Infrastructure Pentests and Red Teaming (e.g., phishing)
• Proven track record of shipping security automation using CodeQL/GHAS, Snyk, or similar, with intimate familiarity with the SARIF ecosystem and ASPM workflows
• Expert-level ability to audit and propose fixes in Kotlin/Java, TypeScript/JS, Python, and familiarity with containerised deployments (Kubernetes)
• Strong threat modeling experience and pragmatic architecture guidance for high-stakes financial flows (AuthN/AuthZ, Cryptography, Payments)
• Experience building CI checks, test harnesses and lightweight fuzzing/property tests
• Excellent stakeholder skills — able to negotiate remediation with Engineering Directors and Product owners, balancing security requirements with business velocity

Nice-to-Haves

• Prior fintech/Trading/OTC product security experience or familiarity with custody/signing patterns
• Practical experience designing or deploying AI-assisted security tooling, leveraging LLMs for automated software patch generation, or evaluating vulnerability detection agents within enterprise developer pipelines
• Prior experience operating alongside GRC frameworks, authoring developer-facing security policies from scratch, and building automated policy-as-code gateway integrations
• Public track record of CVEs, security research, or open-source contributions to security tooling
• Advanced credentials such as OSCP, OSWE, CISSP or equivalent
• Experience with on-chain/off-chain integration, payment reconciliation, or smart contract security
• Familiarity with vulnerability management platforms (DefectDojo, Dependabot orchestration) and GRC/Gateway integrations
• Prior contributions to security automation and developer tooling (open source or internal)

Compensation & Benefits

• Full-time salary based on experience and meaningful equity in an industry-leading company
• Mandatory in-office presence four days per week at London office
• Work from Anywhere Policy: You can work remotely from anywhere in the world for up to 20 days per year
• ClassPass
• Unlimited vacation policy
• Apple equipment
• Opportunity to be a key player and build your career at a rapidly expanding, global technology company in an emerging field
• Flexible work culture