Senior Security Engineer

What is Loancrate?

We started Loancrate to make home-buying simpler and less expensive for lenders and borrowers (us!). Today, mortgage lenders are stuck running their companies on software products built 20 years ago. These products are slow, unstable, and don't lead to material improvements in efficiency. When using these systems, the average human cost to originate a loan is still over $11,000.

Loancrate builds AI-native tooling to automate mortgage workflows. Our ultimate goal is fully automated origination, which has the potential to save lenders over $16B in operating expense per year.

Since starting in 2020, our remote team has enabled our customers to power >$85 billion in new home loans. We are a group of people excited to tackle the complexity of the home-lending industry. We care about collaboration, very open communication covering the good & the bad so that we learn from our decisions quickly, and ultimately having fun while we're building. You'll fit in well if you like diving deep quickly!

The Opportunity

Our dreams are big and we have much to build! We're looking for a Senior Security Engineer who makes Loancrate more secure - without making it harder to build here. You'll build systems, guardrails, and tooling that catch issues early, make secure defaults easy, and help engineers move fast and sleep at night. We handle some of the most sensitive personal and financial data in the country, and we take that responsibility seriously - security is an enabler here, not a gatekeeper.

This is an IC role with broad scope - you'll work across application security, infrastructure security, compliance, and internal tooling. If you've been in fintech or another regulated industry and gotten frustrated watching security slow engineering down, this is your chance to do it differently. You'll write code, ship tooling, and improve our defaults - not just write policies.

What To Expect

As a Senior Security Engineer at Loancrate, you'll get into the codebase and infrastructure quickly. Within your first month, you'll be contributing to work such as...
* Conducting a comprehensive threat model of our application and infrastructure layers, identifying the highest-leverage gaps and building a pragmatic remediation roadmap.
Conducting a comprehensive threat model of our application and infrastructure layers, identifying the highest-leverage gaps and building a pragmatic remediation roadmap.
* Hardening our AWS infrastructure - IAM least-privilege, secrets management, network segmentation, CloudTrail audit coverage, and GuardDuty alerting - while keeping developer workflows frictionless.
Hardening our AWS infrastructure - IAM least-privilege, secrets management, network segmentation, CloudTrail audit coverage, and GuardDuty alerting - while keeping developer workflows frictionless.
* Integrating security tooling into our CI/CD pipeline: SAST, dependency scanning, container image scanning, and secret detection that catches issues before they ship.
Integrating security tooling into our CI/CD pipeline: SAST, dependency scanning, container image scanning, and secret detection that catches issues before they ship.
* Partnering with engineering on our SOC 2 Type II posture - working across evidence collection, control design, and vendor risk so that compliance is a byproduct of doing good security, not a separate workstream.
Partnering with engineering on our SOC 2 Type II posture - working across evidence collection, control design, and vendor risk so that compliance is a byproduct of doing good security, not a separate workstream.
* Building secure-by-default patterns and libraries (authn/authz helpers, input validation, secure logging/redaction) so teams don't have to reinvent security per service.
Building secure-by-default patterns and libraries (authn/authz helpers, input validation, secure logging/redaction) so teams don't have to reinvent security per service.

Core Responsibilities
* Lead and drive Loancrate's security posture across application security, cloud security, identity, and compliance - partnering closely with engineering and leadership.
Lead and drive Loancrate's security posture across application security, cloud security, identity, and compliance - partnering closely with engineering and leadership.
* Perform regular threat modeling, vulnerability assessments, and penetration testing - and work directly with engineering to remediate findings fast.
Perform regular threat modeling, vulnerability assessments, and penetration testing - and work directly with engineering to remediate findings fast.
* Build and maintain security tooling and automation: SAST/DAST, dependency scanning, container scanning, SBOM management, and secret detection integrated into CI/CD.
Build and maintain security tooling and automation: SAST/DAST, dependency scanning, container scanning, SBOM management, and secret detection integrated into CI/CD.
* Harden our AWS environment: IAM, VPC boundaries, secrets manageme