Embed security into the SDLC by partnering with Engineering to implement secure design patterns, conduct threat modeling, and deliver developer-focused AppSec training
Lead and perform application security assessments including SAST, DAST, SCA, and manual code review across web, mobile, and API surfaces
Drive API security across internal and external services — including authentication, authorization, rate limiting, and abuse prevention controls
Own and mature the vulnerability management program, including prioritization frameworks, SLA tracking, and cross-functional remediation coordination
Champion software supply chain security initiatives, including SBOM generation, dependency risk analysis, and third-party component vetting
Assist GRC with technical third-party risk reviews and vendor security assessments
Respond to and lead security incidents in a measured, programmatic, and timely manner — from identification through post-incident review
Implement and iterate on security automation and orchestration to improve detection, response, and coverage at scale
Implement, monitor, and continuously improve security controls across cloud infrastructure, endpoints, and the product
Assess and mitigate AI-specific security risks across Branch's use of LLMs and AI-powered features, including prompt injection, model abuse, and insecure output handling

Requirements

5–7 years of experience in a security engineering or application security role, ideally within a fintech or high-growth startup environment
Strong communication skills — able to translate technical risk clearly for both engineering audiences and senior leadership
Hands-on SAST/DAST experience; familiarity with tools such as Semgrep, Snyk, Checkmarx, Burp Suite Pro, or equivalents
Demonstrated ability to independently work security incidents end-to-end — including malware, phishing, DLP events, and API abuse
Experience securing cloud-native environments, including IAM, container/Kubernetes workloads, and serverless functions
Solid working knowledge of API security standards (OWASP API Top 10, OAuth 2.0/OIDC, JWT hardening)
Experience with mobile application security testing (iOS/Android) is a plus
Familiarity with security frameworks including SOC 2, PCI-DSS, NIST CSF, and OWASP SAMM
Scripting proficiency in Python and/or Bash for automation and tooling; experience with security orchestration platforms (e.g., Tines, XSOAR, Torq) is a plus
Strong ethics and discretion — this role regularly handles confidential and sensitive information
Familiarity with AI/LLM security risks and emerging standards (OWASP LLM Top 10, MITRE ATLAS) — including prompt injection, data leakage through model outputs, and supply chain risks introduced by third-party AI services
Security certifications a plus (OSCP, GWEB, CISSP, SANS GWAPT, etc.)

Benefits

Market-leading medical, dental, and vision insurance
Stock options
Free Premium-Tier Origin Financial Wellness subscription
Monthly home-office stipend
401k (TransAmerica)
12-weeks paid parental leave for birthing and non-birthing parents
Flexible time off + sick and safe time
11 paid company holidays

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

SASTDASTSCAmanual code reviewAPI securityvulnerability managementsecurity automationcloud-native securitymobile application security testingscripting in Python

Soft Skills

strong communicationindependent workstrong ethicsdiscretion

Certifications

OSCPGWEBCISSPSANS GWAPT