Senior Security Engineering Manager Product Security

The Team: 

Upstart’s Security Engineering team is passionate about bringing progressive approaches to securing our products infrastructure platforms and enterprise systems. We believe security should empower innovation move at the speed of business and embed safety by design into how Upstart builds and operates. Our team’s mission is to protect Upstart’s core product platforms cloud infrastructure enterprise systems customers and data by partnering deeply with Engineering Product Infrastructure Risk Compliance and Security teams to reduce security risk through automation collaboration offensive security and durable security practices.

As the Senior Security Manager for Product Security Engineering at Upstart you will lead a team responsible for scaling security engineering practices across application security infrastructure security offensive security and product security. You will set priorities develop team members and partner with senior engineering and business leaders to shape Upstart’s security engineering strategy strengthen secure-by-design practices reduce systemic risk and improve the security posture of customer-facing products cloud-native services internal platforms APIs and AI-driven product workflows.

How you’ll make an impact

• Define and lead the Security Engineering roadmap across application security infrastructure security offensive security and product security aligning priorities with Upstart’s business objectives engineering strategy regulatory expectations and risk posture.
• Manage coach and develop a team of security engineers ensuring clear goals measurable impact sustainable execution effective operating rhythms and growth opportunities for each team member.
• Partner with Engineering Product Infrastructure Data Risk Compliance and Audit leaders to identify high-priority security risks align on pragmatic mitigations and embed security requirements early in planning design development and operations.
• Scale secure-by-design practices across the SDLC including threat modeling security architecture reviews secure coding practices automated security testing vulnerability management API security CI/CD protections secrets management and developer security enablement.
• Strengthen infrastructure and cloud security by partnering with Infrastructure and Platform teams on secure architecture identity and access controls Kubernetes and container security cloud-native security controls and defense-in-depth across application and infrastructure layers.
• Build and mature offensive security capabilities including attack surface management adversarial testing security validation penetration testing coordination bug bounty intake and prioritization of findings into durable engineering improvements.
• Improve product security outcomes by partnering with Product and Engineering teams to identify abuse cases security requirements customer-impacting risks and scalable controls for high-trust product experiences.
• Drive consistent execution across cross-functional initiatives by setting priorities clarifying ownership communicating tradeoffs and ensuring high-impact security work is delivered with quality and urgency.
• Establish and improve Security Engineering metrics operating models and reporting so leaders can understand risk posture remediation progress recurring patterns program health and the effectiveness of security investments.
• Support response to high-severity security issues by coordinating technical investigation stakeholder communication root cause analysis remediation tracking and durable improvements that prevent repeat issues.
• Foster a culture where security enables innovation by building trusted partnerships mentoring engineering leaders and helping teams adopt practical controls that improve safety without unnecessary friction.

What we’re looking for: 

• Minimum requirements:
  • 8+ years of experience in security engineering software engineering infrastructure engineering offensive security product security or related technical security roles.
  • 3+ years of experience managing leading or formally developing security engineers or technical teams.
  • Experience leading security engineering programs in at least two of the following domains: application security infrastructure security offensive security product security cloud security or secure SDLC.
  • Experience partnering with Engineering Product Infrastructure Risk Compliance or Audit stakeholders to deliver cross-functional security initiatives.
  • Experience with modern application and infrastructure architectures including APIs web applications cloud-native services CI/CD pipelines identity and access controls and common vulnerability classes.
  • Experience defining roadmaps priorities metrics and operating processes for security programs with cross-functional dependencies.
• Preferred qualifications:
  • Experience building or scaling a security engineering function including team operating models roadmap planning prioritization frameworks metrics and executive-level reporting.
  • Experience managing security work in a regulated environment financial technology company or organization with high security privacy or compliance requirements.
  • Knowledge of AWS Kubernetes containers CI/CD security infrastructure-as-code security identity and access management vulnerability management API security and modern application security testing practices.
  • Experience implementing or scaling security tooling such as SAST DAST SCA IaC scanning secrets detection attack surface management bug bounty intake penetration testing workflows vulnerability management platforms or developer security guardrails.
  • Familiarity with security considerations for AI/ML systems data-intensive applications lending or financial technology platforms or other high-trust customer-facing products.
  • Ability to communicate technical risk tradeoffs and recommendations clearly to technical non-technical and senior leadership audiences.
  • Experience partnering with Engineering Product Infrastructure Legal Risk Compliance and Audit teams to deliver security outcomes without creating unnecessary friction.
  • Security certifications such as CISSP CSSLP CCSP AWS Security Specialty GIAC OSCP or equivalent practical expertise.

Position location This role is available in the following locations: Remote - US

Time zone requirements The team operates on the East/West coast time zones. 

Travel requirements As a digital first company the majority of your work can be accomplished remotely. The majority of our employees can live and work anywhere in the U.S but are encouraged to to still spend high quality time in-person collaborating via regular onsites. The in-person sessions’ cadence varies depending on the team and role; most teams meet once or twice per quarter for 2-4 consecutive days at a time.

#LI-REMOTE

#LI-MidSenior 

What We Do

Upstart is the leading AI lending marketplace connecting millions of consumers to more than 100 banks and credit unions that leverage Upstart’s AI models and cloud applications to deliver superior credit products. With Upstart's AI lenders can approve more borrowers at lower rates across races ages and genders while delivering the exceptional digital-first experience customers demand. More than 80% of borrowers are approved instantly with zero documentation to upload. Founded in 2012 Upstart’s platform includes personal loans automotive retail and refinance loans home equity lines of credit and small-dollar “relief” loans. If you are energized by the impact you think you could make at Upstart we'd love to hear from you!

Why Work With Us

Connection to our mission creates a special environment where people feel passionately about the impact they make in the world. Upstart is fast-paced and we encourage ownership at all levels of the organization. As a result culture at Upstart is driven by Upstarters. Upstarters are proactive talented multi-dimensional and collaborative.

Gallery