Senior Security Engineer

Overview

GRVT (pronounced “gravity”) is the world’s first licensed onchain exchange, where traditional banking meets decentralized innovation on one regulated, compliant, and trustless financial marketplace. A blockchain-based platform that is democratizing how wealth is created and shared, GRVT allows everyday people to trade, invest, and grow their wealth by providing direct access to top industry traders and investors.

Key Stats

• Team size: 50+ and growing
• Strategic round funding: $5 million (single equity round led by Further Ventures)
• Seed round funding: $9.5 million led by multiple investors including QCP, Delphi Digital, Selini, Matter Labs, Pulsar, Ampersan, CMS and more
• Users: 40,000+ KYCed users, unprecedented for DEXs
• 50+ institutional clients onboarded
• $1.2 billion monthly trading volume and growing, since launch

At GRVT, security is a cornerstone of our platform and products. This role is a blend of engineering and security. You will be part of a dynamic team, identifying risks throughout the organisational landscape and working with each engineering vertical to manage novel risks encountered in a hybrid exchange like GRVT. You will have the opportunity to shape, build, and innovate security solutions within a rapidly evolving industry, gaining exposure to both CeFi and DeFi.

• You will join the GRVT Site Reliability Engineering (SRE) team, operating across three tightly integrated verticals:
• DevSecOps (cloud infrastructure, incident response, platform stability)
• Test Engineering (end-to-end testing, regression pipelines, feature assurance)
• Security Engineering (penetration testing, security advisory, security governance)

The organization has the mandate of ensuring the end-to-end reliability of the GRVT platform, protecting our product's reliability, correctness, and security. This role is positioned within the Security vertical but works cross-functionally with the entire organization.

• Lead technical assurance activities across projects, including penetration testing, purple teaming, threat modeling, and architecture reviews—ensuring both new and existing systems maintain a high security baseline.
• Serve as the primary security expert within the SRE team, collaborating with Ops and QA Engineers and Wider Teams to design practical, high-impact controls that enhance platform security without compromising delivery velocity.
• Build automation and internal tooling for security visibility, posture monitoring, and enforcement (e.g., secret scanning, anomaly detection, automated test harnesses).
• Monitor, triage, and lead response efforts for security incidents, coordinating across SRE and wider engineering teams.
• Establish and maintain security policies and controls aligned with engineering best practices and regulatory obligations.
• Educate and empower developers and engineers with actionable guidance, secure coding practices, and feedback cycles—reducing vulnerabilities during development.

• Strong Information Security (InfoSec) background (5 years+), with proven experience in application security across both traditional web stacks and blockchain-based systems.
• Expert knowledge of web application security, including deep familiarity with the OWASP Top 10, to defend GRVT’s off-chain services against common web-based threats.
• Python proficiency — experience building security engineering tools such as automated API security testers, custom static analyzers, or CI/CD-integrated scanners for secrets, misconfigurations, and insecure patterns.
• Proficiency in security testing tools, such as SAST (e.g., SonarQube, Checkmarx, GoSec) and DAST (e.g., OWASP ZAP, Burp Suite).
• Demonstrated ability to quickly understand and analyze unfamiliar codebases, enabling effective secure code review across diverse systems—including web services, infrastructure components, and smart contracts.
• Experience conducting threat modelling exercises or strong grasp of threat modeling methodologies.
• Smart contract auditing experience, with familiarity in identifying common vulnerabilities in decentralized applications and blockchain systems.
• Bug bounty programs experience, either as a seasoned researcher or by managing an organization’s program.
• Experience with cloud infrastructure (e.g., AWS, GCP), understanding of container security and DevSecOps principles, with practical experience integrating security into CI/CD pipelines.

• Familiarity with IT security frameworks such as SOC 2 and ISO 27001, and how to align technical controls to compliance objectives.
• Holds or actively pursues professional certifications such as OSCP, OSWE, CISSP, CDP, or CTMP.