DevSecOps Engineer

<div class="content-intro"><p><strong>Who We Are:</strong></p> <p>Alpaca is a US-headquartered self-clearing broker-dealer and brokerage infrastructure for stocks, ETFs, options, crypto, fixed income, 24/5 trading, and more. Our&nbsp;<a href="https://alpaca.markets/blog/alpaca-raises-150-million-at-a-1-15b-valuation-to-build-the-global-standard-for-brokerage-infrastructure/">recent Series D funding round</a> brought our total investment to over $320 million, fueling our ambitious vision.</p> <p>Amongst our subsidiaries, Alpaca is a licensed financial services company, serving hundreds of financial institutions across 40 countries with our institutional-grade APIs. This includes broker-dealers, investment advisors, wealth managers, hedge funds, and crypto exchanges, totalling over 9 million brokerage accounts.</p> <p>Our global team is a diverse group of experienced engineers, traders, and brokerage professionals who are working to achieve our mission of&nbsp;<strong>opening financial services to everyone on the planet</strong>. We're deeply committed to open-source contributions and fostering a vibrant community, continuously enhancing our award-winning, developer-friendly API and the robust infrastructure behind it.</p> <p>Alpaca is proudly backed by top-tier global investors, including Portage Ventures, Spark Capital, Tribe Capital, Social Leverage, Horizons Ventures, Unbound, SBI Group, Derayah Financial, Elefund, and Y Combinator.</p> <p>&nbsp;</p> <p><strong>Our Team Members:</strong></p> <p>We're a dynamic team of 230+ globally distributed members who thrive working from our favorite places around the world, with teammates spanning the USA, Canada, Japan, Hungary, Nigeria, Brazil, the UK, and beyond!<br><br>We're searching for passionate individuals eager to contribute to Alpaca's rapid growth. If you align with our core values—Stay Curious, Have Empathy, and Be Accountable—and are ready to make a significant impact, we encourage you to apply.</p></div><p><strong>Your Role:</strong></p> <p>We are seeking a DevSecOps Engineer to own the intersection of security, reliability, and DevOps. This role will design and implement resiliency across our cloud platform and CI/CD pipelines, embed “security as code,” help lead incident response for high-severity outages, and partner with engineering teams to enable safe, fast delivery at scale.&nbsp;</p> <p>You will be hands-on and strategic: automating remediation, hardening deployments, owning observability, and driving measurable reductions in security/infra related incident impact. This role reports to the CISO, with a dotted line into Engineering and works closely with DevOps, Product, and Engineering leadership.</p> <p>The Security Team is 100% distributed and remote.&nbsp;</p> <p>&nbsp;</p> <p><strong>Things You Get To Do:</strong></p> <p>The core responsibilities of the DevSecOps Engineer role are focused on embedding security throughout our infrastructure and software development lifecycle, enhancing cyber resilience, and driving a strong security culture.</p> <p><strong>Security Engineering &amp; Automation:</strong></p> <ul> <li><strong>Secure SDLC Integration:</strong> Embed security into CI/CD pipelines by implementing and owning secure controls, including Infrastructure as Code (IaC) scanning, Software Composition Analysis (SCA), secrets checks, policy-as-code, and deployment guardrails.</li> <li><strong>Vulnerability Management:</strong> Lead the process of vulnerability and patch management, automating discovery, prioritization, and remediation across all cloud workloads and their dependencies.</li> <li><strong>Platform Hardening:</strong> Strengthen cloud and Kubernetes environments through secure configurations, network segmentation, workload identity management, and automated compliance against industry standards (e.g., CSA Star).</li> <li><strong>Supply Chain Security:</strong> Advance the security of the software supply chain, focusing on generating Software Bill of Materials (SBOMs), artifact signing, dependency governance, and implementing integrity controls.</li> <li><strong>Secure Patterns:</strong> Create secure "paved roads" for developers, providing hardened IaC modules, templates, tooling, and comprehensive documentation.</li> </ul> <p><strong>Resilience, Detection, and Response:</strong></p> <ul> <li><strong>Cyber Resilience:</strong> Own and validate cyber-resiliency standards (secure failover, secure backups, Disaster Recovery playbooks) through secure rehearsals to ensure both the availability and integrity of systems and data</li> <li><strong>Security Deployment:</strong> Develop secure deployment patterns, such as canary rollouts, automated safe rollbacks, and guardrails to minimize blast radius</li> <li><strong>Detection &amp; Forensics:</strong> Improve detection and response capabilities by building high-signal alerts, enhancing forensic logging, and providing robust security telemetry. Partner with the SecOps team on incident handling</li> <li><strong>Offensive Security:</strong> Alongside the Security team, help manage offensive security engagements (penetration testing, red team, bug bounty) and ensure findings are fed directly into remediation pipelines and risk prioritization</li> </ul> <p><strong>Architecture, Identity, and Governance:</strong></p> <ul> <li><strong>Design &amp; Threat Modeling:</strong> Conduct security reviews and threat modeling for all new services and major architecture changes to ensure designs are secure-by-default</li> <li><strong>Identity &amp; Access Management (IAM):</strong> Strengthen the identity and access model by enforcing the principle of least privilege, strong authentication, and secure secrets lifecycle management</li> <li><strong>Compliance &amp; Audit:</strong> Support compliance and audit readiness by operationalizing security controls, producing necessary evidence, and maintaining the health of these controls</li> </ul> <p><strong>Leadership &amp; Culture:</strong></p> <ul> <li><strong>Security Champion:</strong> Champion a strong security culture by partnering with DevOps and Engineering teams to uplift secure coding practices and guide risk-based decision-making</li> <li><strong>Metrics &amp; Reporting:</strong> Define key security performance indicators (KPIs) such as time to detect, time to remediate, exposure scores, and percentage of infrastructure covered by automated controls, and report measurable improvements to leadership</li> </ul> <p>&nbsp;</p> <p>&nbsp;</p> <p><strong>Who You Are (Must-Haves):</strong></p> <ul> <li>Excited about Alpaca’s mission and what we’re building</li> <li>5+ years of experience across DevSecOps, security engineering, or cloud security in a modern cloud-native environment</li> <li>Strong hands-on experience with CSPs, Kubernetes, Terraform, and container security</li> <li>Deep understanding of secure CI/CD, including IaC security, dependency/SCA, secrets scanning, and policy-as-code</li> <li>Solid background in identity &amp; access security</li> <li>Experience automating vulnerability management and patching workflows across cloud and container ecosystems</li> <li>Strong familiarity with detection engineering, logging/telemetry, and partnering in incident response</li> <li>Proficient in a scripting/programming language (Python, Go, or similar) for automation and security tooling</li> <li>Comfortable working cross-functionally with DevOps and Engineering teams, explaining risk in practical terms, and influencing secure design</li> <li>Comfortable participating in on-call rotations<strong>&nbsp;</strong></li> </ul> <p>&nbsp;</p> <p>&nbsp;<strong>Who You Might Be</strong> (<strong>Nice-to-Haves):&nbsp;&nbsp;</strong></p> <ul> <li>Experience securing financial, trading, or other highly regulated platforms</li> <li>Knowledge of regulatory frameworks common in fintech (SOC 2, ISO 27001, PCI)</li> <li>Experience with supply-chain security (SBOMs, Sigstore, artifact signing) or software integrity programs</li> <li>Familiarity with offensive security, bug bounty triage, or penetration testing</li> <li>Security or cloud certifications (CISSP, OSCP, GIAC, GCP/AWS Security)</li> <li>Bachelor's degree in Computer Science, Information Security, or equivalent experience.</li> <li>Business acumen to be able to balance tradeoffs between stakeholders and technology feasibility and budget constraints</li> </ul><div class="content-conclusion"><h3><strong>How We Take Care of You:</strong></h3> <ul> <li style="font-weight: 400; text-align: justify;"><span style="font-weight: 400;">Competitive Salary &amp; Stock Options</span></li> <li style="text-align: justify;">Health Benefits</li> <li style="font-weight: 400; text-align: justify;"><span style="font-weight: 400;">New Hire Home-Office Setup: One-time USD $500</span></li> <li style="font-weight: 400; text-align: justify;"><span style="font-weight: 400;">Monthly Stipend: USD $150 per month via a Brex Card</span></li> </ul> <p><em><span style="font-weight: 400;">Alpaca is proud to be an equal opportunity workplace dedicated to pursuing and hiring a diverse workforce.<br></span></em></p> <p><span style="font-size: 8pt;"><a href="https://files.alpaca.markets/disclosures/AlpacaRecruitmentPrivacyPolicy.pdf"><em><span style="font-weight: 400;">Recruitment Privacy Policy</span></em></a></span></p></div>