{"schemaVersion":"jobsearcher.job.v1","id":"2568f8df02a8e62db16dbf4d","url":"https://jobsearcher.com/jobs/2568f8df02a8e62db16dbf4d","canonicalUrl":"https://jobsearcher.com/jobs/2568f8df02a8e62db16dbf4d","title":"DevSecOps Engineer","description":"Who We Are: Alpaca is a US-headquartered self-clearing broker-dealer and brokerage infrastructure for stocks, ETFs, options, crypto, fixed income, 24/5 trading, and more. Our recent Series D funding round brought our total investment to over $320 million, fueling our ambitious vision.\r\nAmongst our subsidiaries, Alpaca is a licensed financial services company, serving hundreds of financial institutions across 40 countries with our institutional-grade APIs. This includes broker-dealers, investment advisors, wealth managers, hedge funds, and crypto exchanges, totalling over 9 million brokerage accounts.\r\nOur global team is a diverse group of experienced engineers, traders, and brokerage professionals who are working to achieve our mission of opening financial services to everyone on the planet . We\\'re deeply committed to open-source contributions and fostering a vibrant community, continuously enhancing our award-winning, developer-friendly API and the robust infrastructure behind it.\r\nAlpaca is proudly backed by top-tier global investors, including Portage Ventures, Spark Capital, Tribe Capital, Social Leverage, Horizons Ventures, Unbound, SBI Group, Derayah Financial, Elefund, and Y Combinator.\r\nYour Role: We are seeking a DevSecOps Engineer to own the intersection of security, reliability, and DevOps. This role will design and implement resiliency across our cloud platform and CI/CD pipelines, embed \"security as code,\" help lead incident response for high-severity outages, and partner with engineering teams to enable safe, fast delivery at scale.\r\nYou will be hands-on and strategic: automating remediation, hardening deployments, owning observability, and driving measurable reductions in security/infra related incident impact. This role reports to the CISO, with a dotted line into Engineering and works closely with DevOps, Product, and Engineering leadership.\r\nThe Security Team is 100% distributed and remote.\r\nThings You Get To Do: The core responsibilities of the DevSecOps Engineer role are focused on embedding security throughout our infrastructure and software development lifecycle, enhancing cyber resilience, and driving a strong security culture.\r\nSecurity Engineering & Automation: Secure SDLC Integration: Embed security into CI/CD pipelines by implementing and owning secure controls, including Infrastructure as Code (IaC) scanning, Software Composition Analysis (SCA), secrets checks, policy-as-code, and deployment guardrails.\r\nVulnerability Management: Lead the process of vulnerability and patch management, automating discovery, prioritization, and remediation across all cloud workloads and their dependencies.\r\nPlatform Hardening: Strengthen cloud and Kubernetes environments through secure configurations, network segmentation, workload identity management, and automated compliance against industry standards (e.g., CSA Star).\r\nSupply Chain Security: Advance the security of the software supply chain, focusing on generating Software Bill of Materials (SBOMs), artifact signing, dependency governance, and implementing integrity controls.\r\nSecure Patterns: Create secure \"paved roads\" for developers, providing hardened IaC modules, templates, tooling, and comprehensive documentation.\r\nResilience, Detection, and Response: Cyber Resilience: Own and validate cyber-resiliency standards (secure failover, secure backups, Disaster Recovery playbooks) through secure rehearsals to ensure both the availability and integrity of systems and data\r\nSecurity Deployment: Develop secure deployment patterns, such as canary rollouts, automated safe rollbacks, and guardrails to minimize blast radius\r\nDetection & Forensics: Improve detection and response capabilities by building high-signal alerts, enhancing forensic logging, and providing robust security telemetry. Partner with the SecOps team on incident handling\r\nOffensive Security: Alongside the Security team, help manage offensive security engagements (penetration testing, red team, bug bounty) and ensure findings are fed directly into remediation pipelines and risk prioritization\r\nArchitecture, Identity, and Governance: Design & Threat Modeling: Conduct security reviews and threat modeling for all new services and major architecture changes to ensure designs are secure-by-default\r\nIdentity & Access Management (IAM): Strengthen the identity and access model by enforcing the principle of least privilege, strong authentication, and secure secrets lifecycle management\r\nCompliance & Audit: Support compliance and audit readiness by operationalizing security controls, producing necessary evidence, and maintaining the health of these controls\r\nLeadership & Culture: Security Champion: Champion a strong security culture by partnering with DevOps and Engineering teams to uplift secure coding practices and guide risk-based decision-making\r\nMetrics & Reporting: Define key security performance indicators (KPIs) such as time to detect, time to remediate, exposure scores, and percentage of infrastructure covered by automated controls, and report measurable improvements to leadership\r\nWho You Are (Must-Haves): Excited about Alpaca's mission and what we're building\r\n5+ years of experience across DevSecOps, security engineering, or cloud security in a modern cloud-native environment\r\nStrong hands-on experience with CSPs, Kubernetes, Terraform, and container security\r\nDeep understanding of secure CI/CD, including IaC security, dependency/SCA, secrets scanning, and policy-as-code\r\nSolid background in identity & access security\r\nExperience automating vulnerability management and patching workflows across cloud and container ecosystems\r\nStrong familiarity with detection engineering, logging/telemetry, and partnering in incident response\r\nProficient in a scripting/programming language (Python, Go, or similar) for automation and security tooling\r\nComfortable working cross-functionally with DevOps and Engineering teams, explaining risk in practical terms, and influencing secure design\r\nComfortable participating in on-call rotations\r\nWho You Might Be (Nice-to-Haves): Experience securing financial, trading, or other highly regulated platforms\r\nKnowledge of regulatory frameworks common in fintech (SOC 2, ISO 27001, PCI)\r\nExperience with supply-chain security (SBOMs, Sigstore, artifact signing) or software integrity programs\r\nFamiliarity with offensive security, bug bounty triage, or penetration testing\r\nSecurity or cloud certifications (CISSP, OSCP, GIAC, GCP/AWS Security)\r\nBachelor\\'s degree in Computer Science, Information Security, or equivalent experience.\r\nBusiness acumen to be able to balance tradeoffs between stakeholders, technology feasibility and budget constraints\r\nHow We Take Care of You: Competitive Salary & Stock Options\r\nHealth Benefits\r\nNew Hire Home-Office Setup: One-time USD $500\r\nMonthly Stipend: USD $150 per month via a Brex Card\r\nAlpaca is proud to be an equal opportunity workplace dedicated to pursuing and hiring a diverse workforce.\r\nRecruitment Privacy Policy\r\nJ-18808-Ljbffr","company":"Diagram","rawCompany":"diagram","city":"Trenton","state":"NJ","isRemote":false,"isActive":false,"createdAt":"2026-04-09T09:02:06.453Z","occupations":[{"code":"15-1299.08","title":"Computer Systems Engineers/Architects","slug":"computer-systems-engineers-architects"},{"code":"15-1299.05","title":"Information Security Engineers","slug":"information-security-engineers"},{"code":"15-1252.00","title":"Software Developers","slug":"software-developers"}],"industries":[{"code":"541512","title":"Computer Systems Design Services","slug":"computer-systems-design-services"},{"code":"513210","title":"Software Publishers","slug":"software-publishers"},{"code":"541511","title":"Custom Computer Programming Services","slug":"custom-computer-programming-services"}],"jobPosting":{"@context":"https://schema.org","@type":"JobPosting","title":"DevSecOps Engineer","description":"Who We Are: Alpaca is a US-headquartered self-clearing broker-dealer and brokerage infrastructure for stocks, ETFs, options, crypto, fixed income, 24/5 trading, and more. Our recent Series D funding round brought our total investment to over $320 million, fueling our ambitious vision.\r\nAmongst our subsidiaries, Alpaca is a licensed financial services company, serving hundreds of financial institutions across 40 countries with our institutional-grade APIs. This includes broker-dealers, investment advisors, wealth managers, hedge funds, and crypto exchanges, totalling over 9 million brokerage accounts.\r\nOur global team is a diverse group of experienced engineers, traders, and brokerage professionals who are working to achieve our mission of opening financial services to everyone on the planet . We\\'re deeply committed to open-source contributions and fostering a vibrant community, continuously enhancing our award-winning, developer-friendly API and the robust infrastructure behind it.\r\nAlpaca is proudly backed by top-tier global investors, including Portage Ventures, Spark Capital, Tribe Capital, Social Leverage, Horizons Ventures, Unbound, SBI Group, Derayah Financial, Elefund, and Y Combinator.\r\nYour Role: We are seeking a DevSecOps Engineer to own the intersection of security, reliability, and DevOps. This role will design and implement resiliency across our cloud platform and CI/CD pipelines, embed \"security as code,\" help lead incident response for high-severity outages, and partner with engineering teams to enable safe, fast delivery at scale.\r\nYou will be hands-on and strategic: automating remediation, hardening deployments, owning observability, and driving measurable reductions in security/infra related incident impact. This role reports to the CISO, with a dotted line into Engineering and works closely with DevOps, Product, and Engineering leadership.\r\nThe Security Team is 100% distributed and remote.\r\nThings You Get To Do: The core responsibilities of the DevSecOps Engineer role are focused on embedding security throughout our infrastructure and software development lifecycle, enhancing cyber resilience, and driving a strong security culture.\r\nSecurity Engineering & Automation: Secure SDLC Integration: Embed security into CI/CD pipelines by implementing and owning secure controls, including Infrastructure as Code (IaC) scanning, Software Composition Analysis (SCA), secrets checks, policy-as-code, and deployment guardrails.\r\nVulnerability Management: Lead the process of vulnerability and patch management, automating discovery, prioritization, and remediation across all cloud workloads and their dependencies.\r\nPlatform Hardening: Strengthen cloud and Kubernetes environments through secure configurations, network segmentation, workload identity management, and automated compliance against industry standards (e.g., CSA Star).\r\nSupply Chain Security: Advance the security of the software supply chain, focusing on generating Software Bill of Materials (SBOMs), artifact signing, dependency governance, and implementing integrity controls.\r\nSecure Patterns: Create secure \"paved roads\" for developers, providing hardened IaC modules, templates, tooling, and comprehensive documentation.\r\nResilience, Detection, and Response: Cyber Resilience: Own and validate cyber-resiliency standards (secure failover, secure backups, Disaster Recovery playbooks) through secure rehearsals to ensure both the availability and integrity of systems and data\r\nSecurity Deployment: Develop secure deployment patterns, such as canary rollouts, automated safe rollbacks, and guardrails to minimize blast radius\r\nDetection & Forensics: Improve detection and response capabilities by building high-signal alerts, enhancing forensic logging, and providing robust security telemetry. Partner with the SecOps team on incident handling\r\nOffensive Security: Alongside the Security team, help manage offensive security engagements (penetration testing, red team, bug bounty) and ensure findings are fed directly into remediation pipelines and risk prioritization\r\nArchitecture, Identity, and Governance: Design & Threat Modeling: Conduct security reviews and threat modeling for all new services and major architecture changes to ensure designs are secure-by-default\r\nIdentity & Access Management (IAM): Strengthen the identity and access model by enforcing the principle of least privilege, strong authentication, and secure secrets lifecycle management\r\nCompliance & Audit: Support compliance and audit readiness by operationalizing security controls, producing necessary evidence, and maintaining the health of these controls\r\nLeadership & Culture: Security Champion: Champion a strong security culture by partnering with DevOps and Engineering teams to uplift secure coding practices and guide risk-based decision-making\r\nMetrics & Reporting: Define key security performance indicators (KPIs) such as time to detect, time to remediate, exposure scores, and percentage of infrastructure covered by automated controls, and report measurable improvements to leadership\r\nWho You Are (Must-Haves): Excited about Alpaca's mission and what we're building\r\n5+ years of experience across DevSecOps, security engineering, or cloud security in a modern cloud-native environment\r\nStrong hands-on experience with CSPs, Kubernetes, Terraform, and container security\r\nDeep understanding of secure CI/CD, including IaC security, dependency/SCA, secrets scanning, and policy-as-code\r\nSolid background in identity & access security\r\nExperience automating vulnerability management and patching workflows across cloud and container ecosystems\r\nStrong familiarity with detection engineering, logging/telemetry, and partnering in incident response\r\nProficient in a scripting/programming language (Python, Go, or similar) for automation and security tooling\r\nComfortable working cross-functionally with DevOps and Engineering teams, explaining risk in practical terms, and influencing secure design\r\nComfortable participating in on-call rotations\r\nWho You Might Be (Nice-to-Haves): Experience securing financial, trading, or other highly regulated platforms\r\nKnowledge of regulatory frameworks common in fintech (SOC 2, ISO 27001, PCI)\r\nExperience with supply-chain security (SBOMs, Sigstore, artifact signing) or software integrity programs\r\nFamiliarity with offensive security, bug bounty triage, or penetration testing\r\nSecurity or cloud certifications (CISSP, OSCP, GIAC, GCP/AWS Security)\r\nBachelor\\'s degree in Computer Science, Information Security, or equivalent experience.\r\nBusiness acumen to be able to balance tradeoffs between stakeholders, technology feasibility and budget constraints\r\nHow We Take Care of You: Competitive Salary & Stock Options\r\nHealth Benefits\r\nNew Hire Home-Office Setup: One-time USD $500\r\nMonthly Stipend: USD $150 per month via a Brex Card\r\nAlpaca is proud to be an equal opportunity workplace dedicated to pursuing and hiring a diverse workforce.\r\nRecruitment Privacy Policy\r\nJ-18808-Ljbffr","datePosted":"2026-04-09T09:02:06.453Z","dateModified":"2026-04-09T09:02:06.453Z","hiringOrganization":{"@type":"Organization","name":"Diagram","sameAs":"https://jobsearcher.com"},"jobLocation":{"@type":"Place","address":{"@type":"PostalAddress","addressLocality":"Trenton","addressRegion":"NJ","addressCountry":"US"}},"identifier":{"@type":"PropertyValue","name":"JobSearcher","value":"2568f8df02a8e62db16dbf4d"},"url":"https://jobsearcher.com/jobs/2568f8df02a8e62db16dbf4d"}}