Security Engineer

About the role

We are seeking a hands-on Security Engineer who thrives in a startup environment.

You'll work alongside product owners and engineers with the objective to secure the products in Startale's ecosystem. Products include a next-generation decentralized exchange with a fully on-chain order book (Strium), a user-facing application (StartaleApp) and a stablecoin (USDSC). This is a hands-on, technical role with a blue team focus. You'll be the person who actively tests our systems, hunts for vulnerabilities, models threats against our products, and works with engineers to close the gaps — not the person who writes policies and generates reports. You'll report to the Security Lead and collaborate daily with Backend, Frontend, DevOps, and Blockchain engineering teams.

Why this role

• Startale's products handle user funds and on-chain transactions so security work has tangible impact.
• Owning the security posture of a project at scale and complexity such as Strium is an opportunity for professional growth.
• You will have direct influence over how product security is built across the organization.
• Focus is on driving product security and not on maintaining compliance documentation.
• Our team is backed by and partnering with leading Japanese enterprises so you will have a chance to work in a stable and well-funded company but with the autonomy and speed of a small team.

 

 

Key responsibilities

• Security Assessments & Penetration Testing: Conduct hands-on security testing of our applications, APIs, and infrastructure. Simulate real attack scenarios against our products. Find the vulnerabilities before external attackers or whitehat researchers do. Work with engineers to fix issues pragmatically.
• Threat Modeling: Build threat models for new services and features — especially Strium's trading engine, order book, and transaction flows. Identify attack surfaces, model adversary behavior, and define what needs to be hardened before launch.
• Vulnerability Triage & Remediation: Own the end-to-end lifecycle of findings — from discovery through severity assessment, developer-facing write-ups, remediation guidance, and verification of fixes. Coordinate with engineers so issues actually get closed.
• Vulnerability Disclosure & Bug Bounty: Manage incoming whitehat reports, validate findings by reproducing them, assess severity, communicate with researchers.
• AI Tools Security Support: Assess technical risks of new AI tools adopted by engineering (data exfiltration, prompt injection, training-on-input), maintain security baselines for AI coding tools and review AI-powered internal tools.

 

Qualifications

Must-have

• 5+ years of hands-on experience with a focus on application security, penetration testing, or product security.
• Demonstrated ability to find vulnerabilities — through manual testing, architecture and/or code review, or creative attack simulation. You should be able to describe specific bugs you've found and how you found them.
• Practical experience with exchange or trading platform security — from a DEX (preferred) or DeFi protocol. You should understand order book mechanics, transaction flows, wallet security, and the threat landscape specific to trading infrastructure.
• Scripting and automation ability — you write tools and automate to scale security across the stack, not just audit and write reports.
• Experience triaging vulnerabilities and writing clear, actionable remediation guidance for developers.
• Strong written communication in English — you'll write tickets, assessment reports and researcher responses.

Strong plus

• Experience with cloud infrastructure security — least-privilege enforcement, network security, secrets management.
• Experience with container security — network policies, RBAC, pod security standards, image scanning, Dockerfile hardening, base image management.
• Ability to read and review code in at least one of: TypeScript/JavaScript, Solidity, Rust.
<