Security Engineer (Web2 + Web3)

Our client is pioneering asset tokenization, bringing regulatory-compliant, institutional-grade assets on-chain and unlocking DeFi composability for RWAs. They operate at the intersection of deep legal, technical, and operational expertise and move fast to tackle hard problems with reliable, scalable systems. We’re hiring a Security Engineer to own and build the security function of our company (Web2 + Web3). This role is critical to protecting our infrastructure, products, and users as our client scale beyond $1B TVL. You will work closely with engineering, DevOps, and leadership to design and implement security best practices across the company. This is a fully hands-on, technical role, not a purely strategic or managerial position. Candidates with recent, direct experience implementing security operations in scaling or startup Web3 teams will be prioritized. Candidates whose primary experience in the last 2–3 years is strategic or team management (rather than direct engineering implementation) will not be prioritized for this role Key Responsibilities Web2 & Web3 Security: Secure smart contracts, APIs, and user-facing applications. Infrastructure Security: Harden GCP/AWS/Cloudflare environments, networks, and endpoints. Supply Chain Security: Ensure secure CI/CD pipelines, manage dependencies, enforce SBOM practices. Monitoring & Detection: Deploy monitoring tools (SIEM, anomaly detection, alerts) for infra and on-chain activity. Company Security Posture: Lead security audits, access controls, secrets management, and incident response. Policies & Awareness: Define security policies, run internal training, build a culture of security-first engineering. Vendor & Partner Due Diligence: Assess risk of external tools, services, and integrations. Incident Response & Playbooks: Establish and run IR processes for potential threats, exploits, or breaches. Compliance & Certifications: SOC2, ISO27001, GDPR alignment (with external partners at first). Key & Wallet Security: HSMs, MPC, custody solutions for on-chain assets. Red Teaming / Pentesting: Either hands-on or coordinating with external providers. Bug Bounty / External Research: Manage relations with external auditors and bounty platforms. Required Skills and Qualifications A. Strong experience in security engineering (infra, cloud, or product). B. Ability to work as a generalist and builder, setting up the security foundation of the company. C. Hands-on, pragmatic approach & comfortable being both architect and executor. D. 2+ years hands-on in infrastructure security, operations, cloud, and/or penetration testing for blockchain/web3 or high-scale fintech, not just smart contract auditing E. Experience conducting and operationalizing penetration testing, threat modeling, vulnerability remediation, and incident response at the org-level F. Recognized contributor/authority within blockchain or web3 security, with strong references from respected projects/companies. Remote first team