Job Drop BerlinYOUR WAY INTO BERLIN TECH
POST A JOBSAVED JOBSMEET A STARTUPREADSUBSCRIBE
NewsletterLinkedIn
AboutTermsImpressumPrivacy

Security Engineering Lead

UUpvest
Seniority
Senior
Model
Hybrid
Sector
Fintech
Salary
Undisclosed
Contract
Full-Time

About the role

Upvest is hiring a Security Engineering Lead to step into the Security team and scale Security Engineering as the organization grows. You'll own Upvest's entire application security and cloud security posture in a highly regulated environment, embedding security into the SDLC, hardening the cloud environment, and building platforms that make security teams more effective.

What you'll do

  • Set the multi-quarter strategy for application and cloud security across Upvest's Investment API platform — aligned with product roadmap, tenant commitments, and regulatory obligations under DORA, MiFID II, and BaFin's MaRisk / BAIT requirements.
  • Lead, mentor, and grow the Security Engineering team. Own hiring, onboarding, growth, and retention as you scale, and create initiatives to build security into the development and product life cycle.
  • Build paved roads. Own how Upvest performs encryption, authN/authZ, CI/CD, data, and network surfaces.
  • Own application security end-to-end: threat modeling, secure code review, SAST/DAST/SCA tooling integration in GitHub Actions CI/CD, and vulnerability management.
  • Drive better cloud security posture across the GCP environment — IAM, VPC Service Controls, Cloud KMS, CSPM, Binary Authorization for GKE, Terraform-driven infrastructure security baselines, and Linkerd service mesh posture.
  • Mature Upvest's DORA technical implementation. Translate DORA's ICT risk framework, secure development testing requirements, and threat-led penetration testing into engineering work programmes.
  • Embed security in every product design through architecture reviews, design partnerships, and security champions across product squads.

What you'll need

  • 6–10 years in security engineering, with 4+ years focused on product security or cloud security, working well in a regulated environment.
  • Hands-on technical credibility. Comfortable reading code, threat modeling designs, debating architectures, and writing tooling when valuable.
  • Cloud-native security depth. GCP preferred; AWS or Azure transferable. Knowledge of IAM, network segmentation, KMS, IaC security (Terraform), and Kubernetes hardening.
  • Product/Application security foundations: OWASP Top 10 / ASVS, secure code review, SAST/DAST/SCA tooling integration, supply-chain security (SLSA, signing).
  • Lead through influence, not gatekeeping. Drive security outcomes through partnership with engineering teams, navigate ambiguity, and make sound risk-based decisions.
  • Experience building or growing a small team. Set a high bar in interviews, invest in onboarding, give real-time feedback, and address performance issues quickly.
  • Communicate cleanly across audiences: security incident write-ups to engineering, control narratives to auditors, and risk briefings to executives.

Nice to have

  • Experience securing multi-tenant B2B platforms or financial-API products.
  • Experience with trading, custody, or securities settlement platforms.
  • Bug bounty / VDP programme management.
  • Shipped backend code in production in Go (preferred), Python, or another modern backend language.
  • Regulatory fluency: working knowledge of DORA, MaRisk, BAIT, ISO 27001.
  • Hands-on experience with AI/LLM security or securing AI tooling in an engineering workflow.
APPLY →