Product Security Engineer

We are seeking a hands-on Security Engineer who thrives in a startup environment.

You'll work alongside product owners and engineers with the objective to secure the products in Startale's ecosystem. Products include a next-generation decentralized exchange with a fully on-chain order book (Strium), a user-facing application (StartaleApp) and a stablecoin (USDSC). This is a hands-on, technical role. You'll be the person who actively tests our systems, hunts for vulnerabilities, models threats against our products, and works with engineers to close the gaps — not the person who writes policies and generates reports. You'll report to the Security Lead and collaborate daily with Backend, Frontend, DevOps, and Blockchain engineering teams.

• Startale's products handle user funds and on-chain transactions so security work has tangible impact.
• Owning the security posture of a project at scale and complexity such as Strium is an opportunity for professional growth.
• You will have direct influence over how product security is built across the organization.
• Focus is on driving product security and not on maintaining compliance documentation.
• Our team is backed by and partnering with leading Japanese enterprises so you will have a chance to work in a stable and well-funded company but with the autonomy and speed of a small team.

• →Security Assessments & Penetration Testing: Conduct hands-on security testing of our applications, APIs, and infrastructure. Simulate real attack scenarios against our products. Find the vulnerabilities before external attackers or whitehat researchers do. Work with engineers to fix issues pragmatically.
• →Threat Modeling: Build threat models for new services and features — especially Strium's trading engine, order book, and transaction flows. Identify attack surfaces, model adversary behavior, and define what needs to be hardened before launch.
• →Vulnerability Triage & Remediation: Own the end-to-end lifecycle of findings — from discovery through severity assessment, developer-facing write-ups, remediation guidance, and verification of fixes. Coordinate with engineers so issues actually get closed.
• →Vulnerability Disclosure & Bug Bounty: Manage incoming whitehat reports, validate findings by reproducing them, assess severity, communicate with researchers.
• →AI Tools Security Support: Assess technical risks related to AI tools used within teams (such as data exfiltration, prompt injection, training-on-input), maintain security baselines for AI coding tools and review AI-powered internal tools.

• 5+ years of hands-on experience with a focus on application security, penetration testing, or product security.
• Demonstrated ability to find vulnerabilities — through manual testing, architecture and/or code review, or creative attack simulation. You should be able to describe specific bugs you've found and how you found them.
• Practical experience with exchange or trading platform security — from a DEX (preferred) or DeFi protocol. You should understand order book mechanics, transaction flows, wallet security, and the threat landscape specific to trading infrastructure.
• Scripting and automation ability — you write tools and automate to scale security across the stack, not just audit and write reports.
• Experience triaging vulnerabilities and writing clear, actionable remediation guidance for developers.
• Strong written communication in English — you'll write tickets, assessment reports and researcher responses.

• Experience with cloud infrastructure security — least-privilege enforcement, network security, secrets management.
• Experience with container security — network policies, RBAC, pod security standards, image scanning, Dockerfile hardening, base image management.
• Ability to read and review code in at least one of: TypeScript/JavaScript, Solidity, Rust.
• Understanding of software supply chain security, including dependency risks, build integrity, and methods for tracking what components are included in shipped software.
• Experience managing or participating in a bug bounty program (e.g. Immunefi, HackerOne).

• Experience securing AI/LLM tooling in engineering teams — prompt injection risks, data leakage prevention, tool configuration hardening
• Japanese language ability (not required, but useful for company context)

• Strong preference for Tokyo-based or Singapore-based candidates - Startale office locations.
• Remote-friendly for exceptional candidates — must have 3+ hours overlap with Tokyo business hours (JST, UTC+9).

• As soon as available; realistic target start of Q3 2026.

Decentralized exchanges, DeFi protocols, blockchain security firms, L1/L2 chain security teams, or fintech companies with trading infrastructure. We're also open to strong AppSec engineers from cloud-native startups who have genuine interest in web3.

You're a hands-on security engineer who finds real vulnerabilities, not just runs scanners. You've secured a trading platform or exchange and understand the threats specific to financial infrastructure — order book manipulation, transaction signing, wallet compromise, front-running. You can take a system, map the attack surface, and come back with findings that matter. You write clear reports that engineers act on, and you know the difference between a theoretical risk and a real one. You're comfortable working independently in a fast-moving team where there's no playbook — you write the playbook.