DevSecOps Engineer at Alpaca

About Alpaca

Alpaca is a US-headquartered, self-clearing broker-dealer and brokerage infrastructure provider supporting stocks, ETFs, options, crypto, fixed income, and more. Backed by top-tier investors, Alpaca serves institutional clients across dozens of countries with developer-first APIs. We are a distributed, remote-first security-conscious engineering organization focused on opening financial services to everyone.

Role summary

We are hiring a DevSecOps Engineer to own the intersection of security, reliability, and DevOps across our cloud platform and CI/CD pipelines. You will design and implement resiliency and security-as-code controls, automate remediation, lead incident response for high-severity outages, and partner with engineering teams to enable safe, fast delivery at scale. This role reports to the CISO with a dotted line into Engineering and works closely with DevOps, Product, and Engineering leadership.

Key responsibilities

• Security engineering and automation - Embed security into CI/CD pipelines by implementing IaC scanning, software composition analysis, secrets checks, policy-as-code, and deployment guardrails.
• Vulnerability management - Automate discovery, prioritization, and remediation workflows for vulnerabilities across cloud and container ecosystems.
• Platform hardening - Harden cloud and Kubernetes environments through secure configurations, network segmentation, workload identity, and automated compliance checks.
• Supply chain security - Advance SBOM generation, artifact signing, dependency governance, and integrity controls for software supply chain safety.
• Resilience and response - Own cyber resilience standards, run secure failover and DR rehearsals, build high-signal detection alerts, and support incident forensics.
• Secure deployment patterns - Implement canary rollouts, automated safe rollbacks, and deployment guardrails to minimize blast radius.
• Leadership and culture - Act as a security champion, define security KPIs, and partner across teams to raise secure development practices and measurable improvements.

Who you are - must haves

• 5+ years of experience in DevSecOps, security engineering, or cloud security in cloud-native environments.
• Hands-on experience with cloud providers and Kubernetes, and building secure platform patterns for production workloads.
• Deep understanding of secure CI/CD controls, IaC security, dependency scanning, secrets scanning, and policy-as-code.
• Practical experience automating vulnerability management and patching across cloud and container stacks.
• Strong identity and access management knowledge and experience enforcing least privilege and secure secrets lifecycle.
• Familiarity with detection engineering, logging and telemetry, and participation in incident response and on-call rotations.
• Proficiency in a scripting or programming language such as Python or Go for automation and tooling.
• Comfort working cross-functionally, explaining risk in practical terms, and influencing product and engineering decisions.

Nice to have

• Experience securing financial or trading platforms and familiarity with regulatory frameworks such as SOC 2, ISO 27001, or PCI.
• Hands-on supply chain security experience, including SBOMs, Sigstore, or artifact signing and provenance.
• Offensive security experience, bug bounty triage, or penetration testing background.
• Security or cloud certifications such as CISSP, OSCP, or GIAC.

What we offer

• Competitive salary and stock options.
• Health benefits.
• New hire home-office setup payment and ongoing monthly stipend.
• Remote-first team with flexible work and global collaboration.

How to apply

Apply via the job board by submitting your resume and any supporting materials. The Security team is fully distributed and the role involves collaboration across time zones and participation in on-call rotations when required. Alpaca is an equal opportunity employer.