Senior Application Security Engineer

MoonPay

Senior Application Security Engineer at MoonPay focusing on security in a decentralized economy. Collaborating with teams to ensure safe practices in digital currency transactions and security measures.

Posted 6/16/2026full-timeNew York City • New York • 🇺🇸 United StatesSeniorWebsite

Tech Stack

Tools & technologies

CloudFirewallsGraphQLJavaScriptSDLCTypeScriptWeb3

About the role

Key responsibilities & impact

Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process.
Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate.
Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation.
Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls.
Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance.
Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack.
Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization.
Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation.
Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements.

Requirements

What you’ll need

You have developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security, and can connect these areas to drive a holistic security approach.
You have hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation.
You have the ability to read, understand, and review source code to identify security issues, with ideally, a particular focus on JavaScript and TypeScript codebases.
You have a strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC).
You have experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns.
You have experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams throughout the development lifecycle.
You have collaborated closely with engineering teams to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations, and support the implementation of effective fixes for both technical and non-technical audiences.
You are self-motivated, proactive, and take strong ownership of your work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindset.
Nice-to-have experience
You have experience in JavaScript and TypeScript, including the ability to read, understand, and reason about modern web application codebases.
You have experience working with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities, to help secure and operate internet-facing applications.
You have experience testing and securing GraphQL, REST APIs, including understanding common GraphQL/REST-specific attack vectors and security considerations.
You have experience or a strong interest in Web3 security testing, including assessing smart contracts, blockchain-based applications, or Web3 integrations.
You have an interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implications.

Benefits

Comp & perks

Competitive salary package
Equity package: We believe financial freedom starts with our employees, so all employees have ownership at MoonPay
Pay for performance equity bonus: Those who drive outsized outcomes receive outsized rewards
Moonshot award. We honor exceptional impact - 10 employees twice a year, each earning a $250,000 equity grant.
Unlimited holidays: We give you the autonomy to choose when to work (and when to switch off)
Hybrid working schedule: Work fully remotely or your nearest Moonbase, the choice is yours
Private Healthcare benefits: To protect you and your loved ones
Enhanced parental leave: So you can spend more time with your loved ones without a second thought
Annual training budget: We support your training journey every step of the way
Home office setup allowance: Create the home office of your dreams
Remote working allowance: Those working fully remotely get a little extra for utilities
Monthly budget to spend on our products and zero fee crypto transactions: Cultivate your inner DEGEN
Employee referral programme: Great people know great people, refer them to receive 10K in USDC
Regular remote company offsites: Meet your colleagues regularly for high impact in person sessions and hackathons
Working in a disruptive and fast-growing company where excellence is rewarded

ATS Keywords

✓ Tailor your resume

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

penetration testingvulnerability assessmentsthreat modellingsource code reviewJavaScriptTypeScriptapplication securityCI/CD pipelinesGraphQLREST APIs

Soft Skills

communicationcollaborationself-motivatedproactiveownershipteam-focusedproblem-solvingtrainingawarenessleadership