Lead Security Engineer

At Pylon, we're a small team building a very ambitious product in the mortgage space.

We're in search of people who find difficult problems invigorating and who fit well into a high-performing team built on mutual respect and reliance. If you like pushing yourself to learn a massive amount while shipping code that has a huge impact on the end product, Pylon Engineering could be a great place for you.

About the Job

The Role

You'll be our first dedicated security engineer, taking ownership of security across our mortgage infrastructure platform. As a regulated financial institution handling sensitive borrower data, security is foundational to everything we build.

This means :

• Hands-on security engineering : You'll write code. Lots of it. This isn't a policy or compliance role. You'll build security infrastructure, implement controls, and integrate security into our development workflow.
• Technical leadership : You'll work directly with the CTO and engineering team to make security decisions that affect our architecture. You need to argue convincingly for security priorities while understanding the trade-offs.
• End-to-end ownership : From application security to infrastructure hardening to incident response. You'll assess what needs attention, prioritize ruthlessly, and execute.
• Building for scale : The security infrastructure you build needs to work today and scale as we grow. You'll set patterns that other engineers follow.
• Embedded engineering : You're not a separate security team. You're an engineer who happens to specialize in security, working alongside the rest of engineering to ship secure systems.

What We're Looking For

Experience : 6-10+ years in security engineering at high-growth tech companies, with significant time at companies known for strong security cultures. You've built security programs.

Technical : Strong systems and application security background. You can read and write code fluently across multiple languages. You understand distributed systems, APIs, databases, and cloud infrastructure well enough to secure them properly.

Basics

Our technology stack :

We don't require that you've worked with any of these technologies before, this is just our stack for your information :

About you

You :

Are dangerous with a keyboard. You write production code regularly. You can implement security controls, build tooling, automate checks, and integrate security into CI / CD. This is not a policy or architecture-only role.

Think like an attacker and a builder. You can identify vulnerabilities and threat vectors, and you understand how to build systems that are secure by default. You know what actually reduces risk versus what just looks good.

Can make the case. Security decisions often require trade-offs. You can articulate why something matters, what the actual risks are (not FUD), and convince engineers to do the right thing without being dogmatic.

Prioritize ruthlessly. Not everything can be perfect on day one. You can assess risk, determine what's urgent versus what can wait, and focus effort where it matters most. Perfect is the enemy of shipped.

Understand the domain deeply. You've worked in regulated industries or with sensitive data. You understand compliance requirements and know that passing an audit requires actual security.

Build for engineers. Security controls that engineers route around are useless. You design systems that make the secure path the easy path. You understand developer experience matters.

Have strong opinions that you're willing to defend. We have a culture of vigorous discussion and debate on technical decisions. We'll push you to defend your choices, and we want you to push back.

Don't settle. Challenge yourself to frequently and consistently deliver exceptional work. If something could be more secure, take the initiative to improve it.

Have great ideas, and lots of them. You should see opportunities all around you to make our systems more secure. We'll give you an environment where you can act on those ideas.

Are self-motivated. You can take a goal and drive towards it without needing extensive hand-holding. The team is supportive and loves to share knowledge and advice, but there's no time for micromanaging your work.

Are comfortable with ambiguity. There's a million ways to secure a system; you should feel at ease making a decision under uncertainty while balancing competing constraints.

Are confident you can learn quickly. Mortgage is complex, our platform is complex, good security engineering is complex. You've got to have an attitude that you can absorb it, get on top of it, and build something better than what came before.

Love strong typing. We're a team full of people who love Haskell and Rust (and Idris!) and take pride in pushing Typescript to its limits. Type safety is security.

About the Team

What we're not :

A compliance checkbox :

A separate security organization :

An easy job :

What we are : A small team :

Working in a regulated space :

About Pylon

The $13 trillion mortgage industry at the core of the American economy runs on broken assembly lines with human-powered workflows, stitched-together software, and a series of capital markets intermediates. The costs to originate are at an all time high despite foundational shifts in foundational technology.

Pylon is rewiring mortgages from the ground up. We are building the only API-first, programmatic infrastructure that fully automates credit, compliance, capital, and operations. For the first time, originators can build and scale mortgage businesses entirely through software, not people. Our team comes from Stripe, Better, and Affirm, and we are backed by Conversion Capital, QED, Citi, Fifth Wall, Peter Thiel, and the founders of Ramp, Mercury, Blend, and others.