Application Security Engineer

About Paxos

Today’s financial infrastructure is archaic, expensive, inefficient and risky — supporting a system that leaves out more people than it lets in. So we’re rebuilding it.

We’re on a mission to open the world’s financial system to everyone by enabling the instant movement of any asset, any time, in a trustworthy way. For over a decade, we’ve built blockchain infrastructure that tokenizes, custodies, trades and settles assets for the world’s leading financial institutions, like Mastercard, Visa, Robinhood, and PayPal.

About the team

The Security team is a specialized, deeply technical, and vigilant group tasked with protecting our digital assets, customer funds, and sensitive data against a sophisticated threat landscape. The team has many pillars, such as Application and Blockchain Security, Cloud Security, Security Operations, GRC, and IT.

About the role

As an Application Security Engineer, you will be a key guardian of our financial and blockchain ecosystem, ensuring that the code we ship and run is secure by design. You will act as a "Breaker" by identifying complex vulnerabilities and a "Builder" by engineering automated solutions that empower our developers to move fast without compromising security. This role sits at the unique intersection of traditional Fintech and emerging Web3 technologies.

What you’ll do

• Perform deep-dive security reviews of web applications, APIs, and cloud infrastructure.

• Develop security-focused tools and libraries in Go, Java, or Ruby to assist developers in writing secure code.

• Support our blockchain initiatives by identifying risks in L1/L2 integrations and smart contract interactions.

• Manage and tune Web Application Firewalls (WAF) and cloud-native security controls.

• Contribute to the security culture through developer training and participating in incident response when necessary.

• Build and maintain the tooling that integrates security into our development lifecycle, moving from manual reviews to automated, scalable guardrails.

• Partner with engineering teams during the design phase of new features (Threat Modeling) to identify risks before a single line of code is written.

• Manage the end-to-end lifecycle of vulnerabilities, from discovery via internal audits or Bug Bounties to collaborating with engineers on "gold-standard" remediations.

About you

• The Breaker/Builder Hybrid: Proven ability to perform deep-dive manual security testing while also securing production-quality code.

• Modern Web2 Stack: Expert-level knowledge of OWASP Top 10, CWE, and API security vulnerabilities (Go, Java, or Ruby preferred).

• Automation First: Experience building and scaling security checks directly into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins).

• Cloud Fundamentals: Working knowledge of AWS/GCP security configurations, particularly IAM, VPCs, and WAF management.

Disclaimer: The first week of employment will be conducted in person at our New York City headquarters. By applying to this role, you acknowledge and agree that you will be able to travel to and work from our New York City office for onboarding during this period.

Important Notice for Paxos Applicants

We’ve become aware of fraudulent accounts posting as Paxos recruiters on LinkedIn and other platforms. These scammers attempt to deceive applicants into paying for job opportunities or providing personal financial information.

To verify a legitimate Paxos recruiter:

• We only use @paxos.com email addresses

• We never ask for payment or financial details to apply, interview, or work here

• For technical roles, we do not perform a coding interview without prior screening by our engineering team

Thanks for your interest in Paxos!