Product Security Engineer
TLDR
Build and ship AI-first security tooling across microservices and mobile apps, guiding threat modeling and secure design from design through production.
Lead threat modeling and secure design reviews for new products, features, and architectural changes, identifying and prioritizing risks, attack surfaces, and trust boundaries early in the SDLC.
Conduct secure code reviews and vulnerability analysis across our microservices, APIs, web, and mobile surfaces. Partner with engineers to drive remediation and uplift secure coding practices.
Build and evolve AI-powered agentic security tooling. Treat AI as a first-class capability, not a bolt-on.
Run and improve ShopBack's vulnerability management program, prioritizing findings using EPSS, CISA KEV, and business context, and driving time-to-remediation through automation and partnership with engineering teams.
Support incident response for product security incidents including blast radius analysis, root cause analysis, variant hunting, and post-incident hardening.
Partner with compliance on evidence and controls for multiple audits bridging engineering reality with audit requirements.
Core experience
3 to 4 years of hands-on product or application security experience — including securing cloud-native, microservices, and mobile applications in production environments.
Strong threat modeling skills — practiced with STRIDE, attack trees, or equivalent frameworks. You can walk a team through a design, surface the real risks, and produce actionable mitigations, not theoretical lists.
Design review depth — able to read an architecture diagram or PRD and identify weak authentication, authorization gaps, data exposure risks, insecure integrations, and systemic issues. Comfortable pushing back with a clear, pragmatic security rationale.
Vulnerability analysis and secure code review — proficient reviewing code (Node.js/TypeScript, Python, Go, or similar) for OWASP Top 10, business logic flaws, authz issues, and supply chain risks. You understand the difference between a CVE and an exploitable vulnerability in context.
Programming proficiency — at least one of Python, TypeScript/Node.js, or Go. You write tooling, not just tickets.
AI and forward-looking capability
Genuine fluency with modern AI tooling — you use LLMs, coding agents, and MCP-based tooling in your day-to-day security work, and can speak to concrete examples of leverage you've created with them.
Understanding of AI/ML security risks — prompt injection, data exfiltration via agents, insecure tool use, model supply chain, and related attack classes. You don't need to be a researcher, but you should be current.
Builder mindset for AI-first security — excited by the idea of architecting security workflows with AI as a first-class capability rather than layering AI on top of existing processes only.
Learning to Execution Mentality — With the evolving space of AI, you must keep up with the next-gen technology being released, cutting the noise and clutter, and applying those insights into tooling and processes.
Ways of working
Pragmatic and high-signal — you focus on high-severity, high-impact findings and are allergic to low-severity noise. You know when to push, when to accept a risk, and when to automate a decision.
Strong written communication — you can reduce a complex finding to a crisp risk statement, a clear recommendation, and a realistic remediation path for a busy engineering team.
Collaborative by default — you drive outcomes through partnership with engineering, not gatekeeping. You're comfortable being the only security voice in a roomful of engineers and earning influence through substance.
Comfortable with ambiguity and ownership — our security team is lean; the role has broad scope and the autonomy that comes with that.
ShopBacker Traits
- Agency - We take ownership and act, rather than waiting for permission. When something's blocking progress, we find a way through it and follow through until it's done.
- Judgement - We aim for high-impact decisions, not just easy wins, and we put the bigger picture ahead of individual interests. That means moving quickly and confidently, while staying thoughtful about when a call really matters.
- Learning Velocity - We pick up new skills fast and let go of old habits just as quickly when something better comes along. We benchmark ourselves against the best and keep raising our own bar.
- Tenacity - We stay in it when things get hard, keeping a level head under pressure. We debate openly before deciding, then commit fully — and support each other along the way.
What's in it for ShopBackers
- Career growth opportunities to take on greater challenges that help you realise your ambitions.
- Be part of a winning team on a journey to global scale.
- Competitive compensation based on performance.
- Candid, open, and collaborative culture where feedback is valued.
Benefits
Education Stipend
Career growth opportunities to take on greater challenges that help you realise your ambitions.
Equity Compensation
Competitive compensation based on performance.
Culture and feedback
Candid, open, and collaborative culture where feedback is valued.
Remote-Friendly
Be part of a winning team on a journey to global scale.
ShopBack operates a leading cashback platform that transforms the relationship between brands and consumers. Serving over 50 million users in 13 markets, it partners with more than 20,000 merchants to provide a seamless shopping experience through cashback, discounts, and PayLater services.
- Founded
- Founded 2014
- Employees
- 500+ employees
- Industry
- IT Services