Senior Security Engineer

<div class="content-intro"><p>Razorpay is one of India’s leading full-stack financial technology companies, powering the way businesses move, manage, and grow money. Founded in 2014 by Harshil Mathur and Shashank Kumar with a simple vision — to simplify payments for Indian businesses — we’ve since grown into a fintech powerhouse driving India’s digital payment revolution.</p> <p>Razorpay powers millions of businesses with a smarter, scalable stack that goes beyond transactions to help them truly build and grow.</p> <p>From seamless checkouts to payroll automation, across India, Singapore, and Malaysia, we’ve been engineering a fintech ecosystem that’s redefining how money moves across Asia — and we’re just getting started.</p> <p>Today, that ecosystem supports everyone from early-stage startups to some of India’s largest enterprises, enabling them to accept, process, and disburse payments at scale while expanding into new ways of managing money more efficiently.</p> <p>Our scale speaks volumes: Razorpay processes $180+ billion in annualized transactions, powering leading businesses like Airbnb, Facebook, WhatsApp, Airtel, CRED, BookmyShow, Zomato, Swiggy, Lenskart, Mirae Asset Capital markets, Indian Oil, National Pension Scheme — and over 100 of India’s unicorns. With strong roots in India and growing operations in Southeast Asia, we are shaping the next chapter of financial technology across the region.</p> <p>We are backed by global investors including GIC, Peak XV Partners (formerly Sequoia Capital India &amp; SEA), Tiger Global, Ribbit Capital, Matrix Partners, MasterCard, and Salesforce Ventures, having raised over $740 million to date. Strategic acquisitions — including Ezetap (POS and offline payments), Curlec (Malaysia expansion), BillMe (digital invoicing), and POP (rewards-first UPI) — along with earlier moves in fraud prevention, payroll, and lending, have further strengthened our platform and widened our footprint across Asia.</p> <p>But what truly sets Razorpay apart is our culture. At Razorpay, ownership is our oxygen — you own what you build, with no micromanagement or red tape, just the runway to make your ideas fly. Learning is a lifestyle — if you’re curious, you’ll feel at home here. People &gt; Pedigree — we hire for attitude, hustle, and hunger more than degrees. Transparency thrives over titles — this is where interns question CXOs and CXOs say “thank you.” Guided by our values of Customer First, Autonomy &amp; Ownership, Agility with Integrity, Transparency, Challenging the status quo and a strong belief that Razorpay grows with Razors,&nbsp; you’ll be part of a 3000+ strong team building not just products, but the financial infrastructure of the future.</p></div><p>Title: Senior Product Security Engineer</p> <p>The Role:<br>Razorpay is looking for a Senior Application Security Engineer with solid experience in&nbsp;AppSec fundamentals—secure code review, vulnerability discovery, API security, and<br>practical pentesting skills. The ideal candidate should also be able to perform basic&nbsp;threat modeling for new features and understand the emerging risks from AI-driven<br>attack patterns.</p> <p><strong>Roles/Responsibilities:</strong></p> <ul> <li>Perform application-level pentests across web, mobile, and backend services.</li> <li>Identify, validate, and help remediate vulnerabilities including OWASP Top 10,&nbsp;API Top 10, and logic flaws.</li> <li>Conduct security assessments for identity flows, API endpoints, micro-services, and internal tools.</li> <li>Review code (manual + assisted) to detect common AppSec issues.&nbsp;Application Security &amp;amp; Pentesting</li> <li>Perform application-level pentests across web, mobile, and backend services.</li> <li>Identify, validate, and help remediate vulnerabilities including OWASP Top 10,&nbsp;API Top 10, and logic flaws.</li> <li>Conduct security assessments for identity flows, API endpoints, micro-services, and internal tools.</li> <li>Review code (manual + assisted) to detect common AppSec issues.</li> </ul> <p><strong>Threat Modeling (Basic)</strong></p> <ul> <li>Perform threat modeling for new features:</li> <li>Identify data-flow risks</li> <li>Spot common misconfigurations</li> <li>Highlight authentication/authorization concerns</li> <li>Document potential abuse cases and propose simple, actionable mitigations.</li> </ul> <p><strong>AI / LLM Security (Introductory)</strong></p> <ul> <li>Understand the basics of AI-driven attack vectors: prompt manipulation, data&nbsp;leakage, misuse of LLM-based features.</li> <li>Flag potential AppSec risks in AI-assisted workflows or model integrations.</li> <li>Support teams in implementing simple guardrails around AI/LLM usage.</li> </ul> <p><strong>Secure SDLC &amp;amp; Developer Productivity</strong></p> <ul> <li>Integrate AppSec checks into CI/CD pipelines—SAST, SCA, secrets scanning,&nbsp;basic DAST.</li> <li>Support engineering teams with secure coding guidance and easy-to-consume&nbsp;AppSec patterns.</li> <li>Help create developer-friendly standards, checklists, and best practices.</li> </ul> <p><strong>Tooling &amp;amp; Automation</strong></p> <ul> <li>Write small scripts or utilities (Python/JS/Go) for repetitive security checks.</li> <li>Contribute to improving internal AppSec automation and dashboards.</li> </ul> <p><strong>Requirements</strong>:</p> <ul> <li>A Bachelor&amp;#39;s degree in Computer Science, Cybersecurity, or a related field.</li> <li>&nbsp;A minimum of 5-8 years of experience in application security.</li> <li>Hands-on experience with offensive security practices and product security&nbsp;vulnerability management.</li> <li>Practical pentesting experience with tools like Burp Suite, ZAP, Postman, and&nbsp;custom scripts.</li> <li>Basic working knowledge of threat modeling techniques (STRIDE-lite, DFD-&nbsp;based reasoning, or simple checklist-based models).</li> <li>Familiarity with AI/LLM security basics (prompt injection, data leakage paths,&nbsp;output validation).</li> <li>Programming/scripting experience (Python/JS/Go preferred).</li> <li>Experience with AppSec tools in CI/CD.</li> </ul> <p>Location: Bangalore</p><div class="content-conclusion"><div class="gmail_default"><span style="font-family: arial, helvetica, sans-serif; font-size: 12pt;"><span id="m_2989597180337834284gmail-m_4972969247898306296gmail-docs-internal-guid-3a65a3c2-7fff-88ff-9e94-8ab11a050d04">Razorpay believes in and follows an equal employment opportunity policy that doesn't discriminate on gender, religion, sexual orientation, colour, nationality, age, etc. We welcome interests and applications from all groups and communities across the globe. </span><br></span></div> <div class="gmail_default"><span style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">&nbsp;</span></div> <div class="gmail_default"><span style="font-family: arial, helvetica, sans-serif; font-size: 12pt;"><span id="m_2989597180337834284gmail-m_4972969247898306296gmail-docs-internal-guid-3d0a9248-7fff-a2fd-6fa3-5026f85768d7">Follow us on <a href="https://www.linkedin.com/company/razorpay/mycompany/" target="_blank" data-saferedirecturl="https://www.google.com/url?q=https://www.linkedin.com/company/razorpay/mycompany/&amp;source=gmail&amp;ust=1660290870959000&amp;usg=AOvVaw0f6sCrv8Ce3IHBvN2Sev8Z">LinkedIn</a> &amp; <a href="https://twitter.com/Razorpay" target="_blank" data-saferedirecturl="https://www.google.com/url?q=https://twitter.com/Razorpay&amp;source=gmail&amp;ust=1660290870959000&amp;usg=AOvVaw0ViuP9uutFg1qFCm2nHeh1">Twitter</a></span></span></div></div>