Offensive Security Engineer Remote Jobs (NOW HIRING)

About Upstart
At Upstart, we're united by a mission that matters: to radically reduce the cost and complexity of borrowing for all Americans. Every day, we bring creativity, experimentation, and advanced AI to reshape access to credit, helping millions move forward financially with clarity and confidence.
As the leading AI lending marketplace, we partner with banks and credit unions to expand access to affordable credit through technology that's both radically intelligent and deeply human. Our platform runs over one million predictions per borrower using more than 1,800 signals, powering smarter, fairer decisions for millions of customers. But the numbers only hint at the impact. Every idea, every voice, and every contribution moves us closer to a world where credit never stands between people and their financial progress.
We're proudly digital-first, giving most Upstarters the flexibility to do their best work from wherever they thrive, alongside teammates across 80+ cities in the US and Canada. Digital-first doesn't mean distant. We're intentional about in-person connection through team onsites, planning sessions, and moments that spark creativity and trust. And whether you choose to work primarily from home or collaborate in-person from one of our offices in Columbus, Austin, the Bay Area, or New York City (opening Summer 2026), you'll have the support to work in the way that works best for you.
If you're energized by tackling meaningful problems, excited to innovate with purpose, and motivated by work that truly matters, we'd love to hear from you.
The Team:
Upstart's Security Engineering team is passionate about bringing progressive approaches to securing our products, infrastructure, platforms, and enterprise systems. We believe security should empower innovation, move at the speed of business, and embed safety by design into how Upstart builds and operates. Our team's mission is to protect Upstart's core product platforms, cloud infrastructure, enterprise systems, customers, and data by partnering deeply with Engineering, Product, Infrastructure, Risk, Compliance, and Security teams to reduce security risk through automation, collaboration, offensive security, and durable security practices.
As the Senior Security Manager for Product Security Engineering at Upstart, you will lead a team responsible for scaling security engineering practices across application security, infrastructure security, offensive security, and product security. You will set priorities, develop team members, and partner with senior engineering and business leaders to shape Upstart's security engineering strategy, strengthen secure-by-design practices, reduce systemic risk, and improve the security posture of customer-facing products, cloud-native services, internal platforms, APIs, and AI-driven product workflows.
How you'll make an impact

• Define and lead the Security Engineering roadmap across application security, infrastructure security, offensive security, and product security, aligning priorities with Upstart's business objectives, engineering strategy, regulatory expectations, and risk posture.
• Manage, coach, and develop a team of security engineers, ensuring clear goals, measurable impact, sustainable execution, effective operating rhythms, and growth opportunities for each team member.
• Partner with Engineering, Product, Infrastructure, Data, Risk, Compliance, and Audit leaders to identify high-priority security risks, align on pragmatic mitigations, and embed security requirements early in planning, design, development, and operations.
• Scale secure-by-design practices across the SDLC, including threat modeling, security architecture reviews, secure coding practices, automated security testing, vulnerability management, API security, CI/CD protections, secrets management, and developer security enablement.
• Strengthen infrastructure and cloud security by partnering with Infrastructure and Platform teams on secure architecture, identity and access controls, Kubernetes and container security, cloud-native security controls, and defense-in-depth across application and infrastructure layers.
• Build and mature offensive security capabilities, including attack surface management, adversarial testing, security validation, penetration testing coordination, bug bounty intake, and prioritization of findings into durable engineering improvements.
• Improve product security outcomes by partnering with Product and Engineering teams to identify abuse cases, security requirements, customer-impacting risks, and scalable controls for high-trust product experiences.
• Drive consistent execution across cross-functional initiatives by setting priorities, clarifying ownership, communicating tradeoffs, and ensuring high-impact security work is delivered with quality and urgency.
• Establish and improve Security Engineering metrics, operating models, and reporting so leaders can understand risk posture, remediation progress, recurring patterns, program health, and the effectiveness of security investments.
• Support response to high-severity security issues by coordinating technical investigation, stakeholder communication, root cause analysis, remediation tracking, and durable improvements that prevent repeat issues.
• Foster a culture where security enables innovation by building trusted partnerships, mentoring engineering leaders, and helping teams adopt practical controls that improve safety without unnecessary friction.

What we're looking for:

• Minimum requirements:
  • 8+ years of experience in security engineering, software engineering, infrastructure engineering, offensive security, product security, or related technical security roles.
  • 3+ years of experience managing, leading, or formally developing security engineers or technical teams.
  • Experience leading security engineering programs in at least two of the following domains: application security, infrastructure security, offensive security, product security, cloud security, or secure SDLC.
  • Experience partnering with Engineering, Product, Infrastructure, Risk, Compliance, or Audit stakeholders to deliver cross-functional security initiatives.
  • Experience with modern application and infrastructure architectures, including APIs, web applications, cloud-native services, CI/CD pipelines, identity and access controls, and common vulnerability classes.
  • Experience defining roadmaps, priorities, metrics, and operating processes for security programs with cross-functional dependencies.
• Preferred qualifications:
  • Experience building or scaling a security engineering function, including team operating models, roadmap planning, prioritization frameworks, metrics, and executive-level reporting.
  • Experience managing security work in a regulated environment, financial technology company, or organization with high security, privacy, or compliance requirements.
  • Knowledge of AWS, Kubernetes, containers, CI/CD security, infrastructure-as-code security, identity and access management, vulnerability management, API security, and modern application security testing practices.
  • Experience implementing or scaling security tooling such as SAST, DAST, SCA, IaC scanning, secrets detection, attack surface management, bug bounty intake, penetration testing workflows, vulnerability management platforms, or developer security guardrails.
  • Familiarity with security considerations for AI/ML systems, data-intensive applications, lending or financial technology platforms, or other high-trust customer-facing products.
  • Ability to communicate technical risk, tradeoffs, and recommendations clearly to technical, non-technical, and senior leadership audiences.
  • Experience partnering with Engineering, Product, Infrastructure, Legal, Risk, Compliance, and Audit teams to deliver security outcomes without creating unnecessary friction.
  • Security certifications such as CISSP, CSSLP, CCSP, AWS Security Specialty, GIAC, OSCP, or equivalent practical expertise.

Position location This role is available in the following locations: Remote - US
Time zone requirements The team operates on the East/West coast time zones.
Travel requirements As a digital first company, the majority of your work can be accomplished remotely. The majority of our employees can live and work anywhere in the U.S but are encouraged to to still spend high quality time in-person collaborating via regular onsites. The in-person sessions' cadence varies depending on the team and role; most teams meet once or twice per quarter for 2-4 consecutive days at a time.
#LI-REMOTE
#LI-MidSenior
At Upstart, your base pay is one part of your total compensation package. The anticipated base salary for this position is expected to be within the below range. Your actual base pay will depend on your geographic location-with our "digital first" philosophy, Upstart uses compensation regions that vary depending on location. Individual pay is also determined by job-related skills, experience, and relevant education or training. Your recruiter can share more about the specific salary range for your preferred location during the hiring process.
In addition, Upstart provides employees with target bonuses, equity compensation, and generous benefits packages (including medical, dental, vision, and 401k).
United States | Remote - Anticipated Base Salary Range
$190,600-$263,900 USD
What you'll love
At Upstart, our benefits are designed to support your health, financial well-being, family, and personal growth. Here's what you can expect:

• Competitive compensation, including base pay, bonus opportunities, and annual equity grants that vest quarterly
• Retirement benefits to help you plan for the future, including a 401(k) or Group Retirement Savings Plan with a company match of $2 for every $1 contributed, up to $15,000 annually (USD in the US, CAD in Canada)
• Employee Stock Purchase Plan (ESPP) with discounted stock purchase options for eligible employees (US only)
• Comprehensive health coverage designed to support you and your family, including medical, dental, vision, and wellness resources for US and supplemental health coverage for Canada.
• Health Savings Account contributions from Upstart for eligible plans (US only)
• Income protection benefits, including life insurance and disability coverage for added financial security
• Paid time off, sick leave, and company holidays, in line with local requirements
• Paid family and parental leave to support caregiving and major life moments (duration varies by country)
• Family-centered benefits to support fertility, parenthood, and caregiving needs
• Employee Assistance Program (EAP) offering mental health support and life-centered resources
• Financial wellness resources, including access to financial planning tools and a financial concierge service (US Only)
• Annual wellness allowance to support your physical and emotional well-being and personal development, based on what matters most to you
• Annual productivity allowance to invest in relevant tools and resources you need to do your best work, no matter where you work from
• Connection and community through team events, all-company updates, and employee resource groups (ERGs)
• Onsite perks, including catered lunches and fully stocked micro-kitchens when working from one of our offices in the Bay Area, Austin, Columbus, and New York City (opening Summer 2026!)

For roles based in Canada, please note that we are not currently able to hire in Quebec.
Upstart is a proud Equal Opportunity Employer. Just as we are dedicated to improving access to affordable credit for all, we are committed to inclusive and fair hiring practices.
If you require reasonable accommodation in completing an application, interviewing, completing any pre-employment testing, or otherwise participating in the employee selection process, please email candidate_accommodations@upstart.com
https://www.upstart.com/candidate_privacy_policy