Senior Security Engineer

About GRVT

GRVT (pronounced “gravity”) is the world’s first licensed onchain exchange, where traditional banking meets decentralized innovation on one regulated, compliant, and trustless financial market place. A blockchain-based platform that is democratizing how wealth is created and shared, GRVT allows everyday people to trade, invest, and grow their wealth by providing direct access to top industry traders and investors.

Key Stats

• Team size: 50+ and growing
• Seed round funding: $14.3 million
• Users: 40,000+ KYCed users, unprecedented for DEXs
• 50+ institutional clients onboarded
• $1.2 billion monthly trading volume and growing, since launch

If you’re passionate about meaningful innovation and ready to shape the future of finance, GRVT offers the opportunity to work at the forefront of financial evolution. Join us and be part of redefining what’s possible.

🔗 Website: www.grvt.io

(https://www.grvt.io/)

Backed by Traders, Invested by Leaders:

FURTHER VENTURES | SIG | QCP | SELINI | HACK VC | DELPHI DIGITAL | ANTELOPE | METALPHA | LIQUIDITY TECH | ALBATROSS | CMS | FISHER 8 | MOONVAULT | PULSAR | FLOW TRADERS | KRONOS and more.

About this Role

At GRVT, security is a cornerstone of our platform and products. This role is a blend of engineering and security. You would be part of a dynamic team, identifying risks throughout the organisational landscape. Work with each engineering vertical to manage novel risks that might only be encountered in a hybrid exchange like GRVT. You will have the opportunity to help to shape, build, and innovative security solutions within a rapidly evolving industry, gaining exposure to both CeFi and DeFi.

Key Responsibilities:

You will join the GRVT Site Reliability Engineering (SRE) team, which operates across three tightly integrated verticals:

• DevSecOps (cloud infrastructure, incident response, platform stability)
• Test Engineering (end-to-end testing, regression pipelines, feature assurance)
• Security Engineering (penetration testing, security advisory, security governance).

The organization has the mandate of ensuring the end-to-end reliability of the GRVT platform, protecting our product’s reliability, correctness, and security.

This role is positioned within the Security vertical but works cross-functionally with the entire organization.

• Lead technical assurance activities across projects, including penetration testing, purple teaming, threat modeling, and architecture reviews—ensuring both new and existing systems maintain a high security baseline.
• Serve as the primary security expert within the SRE team, collaborating closely with Ops and QA Engineers and Wider Teams to design practical, high-impact controls that enhance platform security without compromising delivery velocity.
• Build automation and internal tooling for security visibility, posture monitoring, and enforcement (e.g., secret scanning, anomaly detection, automated test harnesses).
• Monitor, triage, and lead response efforts for security incidents, coordinating across SRE, and wider engineering teams.
• Establish and maintain security policies and controls aligned with both engineering best practices and regulatory obligations
• Educate and empower developers and engineers with actionable guidance, secure coding practices, and feedback cycles—reducing the likelihood of vulnerabilities during development.

Experience & Skills Requirements:

• Strong Information Security (InfoSec) background (5 years+), with proven experience in application security across both traditional web stacks and blockchain-based systems.
• Expert knowledge of web application security, including deep familiarity with the OWASP Top 10, to assess and defend GRVT’s off-chain services against common web-based threats.
• Python proficiency – Experience building security engineering tools such as automated API security testers, custom static analyzers, or CI/CD-integrated scanners for secrets, misconfigurations, and insecure patterns.
• Proficiency in security testing tools, such as SAST (e.g., SonarQube, Checkmarx, GoSec), DAST (e.g., OWASP ZAP, Burp Suite).
• Demonstrated ability to quickly understand and analyze unfamiliar codebases, enabling effective secure code review across diverse systems—including web services, infrastructure components, and smart contracts.
• Experience conducting threat modelling exercises, or a strong grasp of threat modeling methodologies to evaluate project risk at the design and implementation levels.
• Smart contract auditing experience, with familiarity in identifying common vulnerabilities in decentralized applications and blockchain systems.
• Bug bounty programs experience, either as a seasoned researcher or by managing an organization’s program.
• Experience with Cloud infrastructure (e.g., AWS, GCP). Understanding of container security and DevSecOps principles, with practical experience integrating security into CI/CD pipelines.

Bonus Points:

• Familiarity with IT security frameworks such as SOC 2 and ISO 27001, and how to align technical controls to compliance objectives.
• Holds or actively pursues professional certifications such as OSCP, OSWE, CISSP, CDP, or CTMP.