Job Drop BerlinYOUR WAY INTO BERLIN TECH
POST A JOBSAVED JOBSMEET A STARTUPREADSUBSCRIBE
NewsletterLinkedIn
AboutTermsImpressumPrivacy

Security Engineering Lead

UUpvest
Seniority
Senior
Model
Hybrid
Sector
Fintech
Salary
Undisclosed
Contract
Full-Time

About the role

Upvest is hiring a Security Engineering Lead to step into the lean Security team, set its multi-quarter direction, and scale Security Engineering into a team that continues to own Upvest's entire application security and cloud security posture in a highly regulated environment as it scales.

What you'll do

  • Set the multi-quarter strategy for application and cloud security across Upvest's Investment API platform — aligned with product roadmap, tenant commitments, and regulatory obligations under DORA, MiFID II, and BaFin's MaRisk / BAIT requirements.
  • Lead, mentor, and grow the Security Engineering team. Own hiring, onboarding, growth, and retention as you scale, and create initiatives to build security into the development and product life cycle.
  • Build paved roads. Own how Upvest performs encryption, authN/authZ, CI/CD, data, and network surfaces to embed security into templates.
  • Own application security end-to-end: threat modeling, secure code review, SAST/DAST/SCA tooling integration, and vulnerability management.
  • Drive cloud security posture across GCP environment — IAM, VPC Service Controls, Cloud KMS, CSPM, Binary Authorization for GKE, and Terraform-driven infrastructure security baselines.
  • Mature Upvest's DORA technical implementation by translating ICT risk framework, secure development testing, and threat-led penetration testing into engineering work programmes.
  • Embed security in product design through architecture reviews, design partnerships, and security champions across product squads.
  • Stay current on emerging threats including AI / LLM security and agentic identities.

What you'll need

  • 6–10 years in security engineering, with 4+ years focused on product security or cloud security in a regulated environment.
  • Hands-on, technically credible: comfortable reading code, threat modeling designs, debating architectures, and writing tooling.
  • Cloud-native security depth in GCP (AWS or Azure transferable). Knowledge of IAM, network segmentation, KMS, IaC security (Terraform), and Kubernetes hardening.
  • Product/Application security foundations: OWASP Top 10 / ASVS, secure code review, SAST/DAST/SCA tooling integration, supply-chain security (SLSA, signing).
  • Lead through influence, not gatekeeping. Drive security outcomes through partnership and make sound risk-based decisions that scale.
  • Hire and grow people. Built or grown a small team with high interview standards, strong onboarding, and fair performance management.
  • Communicate cleanly across audiences: security incidents to engineering, control narratives to auditors, risk briefings to executives.

Nice to have

  • Experience securing multi-tenant B2B platforms or financial-API products.
  • Experience with trading, custody, or securities settlement platforms.
  • Regulatory fluency with DORA, MaRisk, BAIT, ISO 27001.
  • Hands-on backend experience in Go, Python, or modern languages.
  • Background in engineering and offensive security.
  • Hands-on experience with AI/LLM security or agentic identity.
APPLY →