Blockchain.com
Product Security Engineer

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
Blockchain is connecting the world to the future of finance. As the most trusted and fastest-growing global crypto company, it helps millions of people worldwide safely access cryptocurrency. Since its inception in 2011, Blockchain has earned the trust of over 90 million wallet holders and more than 40 million verified users, facilitating over $1 trillion in crypto transactions.
You will operate the Product Security programme for Blockchain.com’s internally-developed products across Consumer, OTC and MRE lines. This is a senior, hands-on role: you’ll design and run the secure development lifecycle, lead threat modeling and architecture review, own the security debt lifecycle for product engineering teams, and architect the automated pipelines that protect billions in transaction volume. You will embed with product and engineering teams, convert technical findings into business-prioritized remediation, and lift developer capabilities so security is delivered by code and process.
WHAT YOU WILL DO
Strategic Security Partnership
- Act as a senior security engineer for the different product lines like Consumer, OTC. You will own the security gates for major feature releases and ensure security is integrated from the design phase.
Secure SDLC Operator
- Operate and improve the secure development lifecycle. This includes orchestrating SAST/SCA/DAST, streamlining SARIF ingestion, PR review standards, CI/CD security automation, and vulnerability triage workflows.
AI-Driven SDLC Innovation
- Research, architect, and safely embed cutting-edge AI utilities and Large Language Model (LLM) agents directly into our secure development lifecycle.
Threat Modelling & Architecture Reviews
- Lead STRIDE/attack-tree threat models for sensitive flows including authentication, payment, custody, reconciliation and sign off on security architecture for critical designs.
Product Security Governance & Standards
- Translate technical risks and regulatory demands into clear security policies. You will own the creation and upkeep of our Application Security Standards, reference architectures, and compliance-driven secure coding baselines.
Bug Bounty Leadership
- Oversee the technical triage and remediation strategy for our Bug Bounty program. You will turn external researcher findings into internal architectural hardening projects.
Release Reviews
- Perform deep-dive manual code reviews of security-sensitive Pull Requests, mentor engineers on secure coding patterns, and provide pragmatic remediation guidance.
Advanced Code Auditing
- Conduct deep-dive manual and automated code reviews on highly sensitive Java and Kotlin backend Pull Requests.
Security Debt & Remediation Negotiation
- Produce data-driven Security Debt packs and negotiate remediation into engineering roadmaps. You will negotiate remediation timelines with Product Owners and Engineering leadership, backed by risk-based data.
Detection & Telemetry Integration
- Define application runtime signals (business-logic anomalies, auth anomalies, reconciliation mismatches) and work with SecOps to instrument logs and alerts.
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
Testing & Automation
- Build and maintain product-level test harnesses, fuzzing/property tests and CI checks to prevent regressions for business-critical flows.
Incident Response Support
- Provide product-level Incident Response expertise like test forensic runbooks, support reproduction of payment/settlement incidents, and advise on containment/remediation whenever needed.
Metrics & Risk Visibility
- Define and own the Product Security metrics (e.g., MTTR for critical vulnerabilities, security debt burn-down, and defect density). You will translate these KPIs into high-level risk reports for the Head of Security and Engineering leadership to drive data-backed resourcing decisions.
People & Process
- Coach junior product security engineers and security champions. You will assist the Product Security Lead to define hiring standards and capability plans.
WHAT YOU WILL NEED
Must-Haves
- 4+ years total security engineering experience with at least 3+ years focused specially in application/product security or equivalent.
- Experience with Web, Mobile, Cloud, Infrastructure Pentests and Red Teaming (e.g., phishing)
- Proven track record of shipping security automation using CodeQL/GHAS, Snyk, or similar. You should be intimately familiar with the SARIF ecosystem and ASPM workflows.
- Expert-level ability to audit and propose fixes in Kotlin/Java, TypeScript/JS, Python, and familiarity with containerised deployments (Kubernetes).
- Strong threat modeling experience and pragmatic architecture guidance for high-stakes financial flows (AuthN/AuthZ, Cryptography, Payments).
- Experience building CI checks, test harnesses and lightweight fuzzing/property tests.
- Excellent stakeholder skills — able to negotiate remediation with Engineering Directors and Product owners, balancing security requirements with business velocity.
Nice-to-haves
- Prior fintech/Trading/OTC product security experience or familiarity with custody/signing patterns.
- Practical experience designing or deploying AI-assisted security tooling, leveraging LLMs for automated software patch generation, or evaluating vulnerability detection agents within enterprise developer pipelines.
- Prior experience operating alongside GRC frameworks, authoring developer-facing security policies from scratch, and building automated policy-as-code gateway integrations.
- Public track record of CVEs, security research, or open-source contributions to security tooling.
- Advanced credentials such as OSCP, OSWE, CISSP or equivalent.
- Experience with on-chain/off-chain integration, payment reconciliation, or smart contract security.
- Familiarity with vulnerability management platforms (DefectDojo, Dependabot orchestration) and GRC/Gateway integrations.
- Prior contributions to security automation and developer tooling (open source or internal).
COMPENSATION & PERKS
- Full-time salary based on experience and meaningful equity in an industry-leading company
- This is a role based in our London office, with a mandatory in-office presence four days per week.
- Work from Anywhere Policy: You can work remotely from anywhere in the world for up to 20 days per year.
- ClassPass
- Unlimited vacation policy; work hard and take time when you need it
- Apple equipment
- The opportunity to be a key player and build your career at a rapidly expanding, global technology company in an emerging field
- Flexible work culture


Get help with your application
Your very own career expert that helps elevate your application to the next level.
Blockchain is committed to diversity and inclusion in the workplace and is proud to be an equal opportunity employer. We prohibit discrimination and harassment of any kind based on race, religion, color, national origin, gender, gender expression, sex, sexual orientation, age, marital status, veteran status, disability status or any other characteristic protected by law. This policy applies to all employment practices within our organization, including hiring, recruiting, promotion, termination, layoff, recall, leave of absence, and apprenticeship. Blockchain makes hiring decisions based solely on qualifications, merit, and business needs at the time.
You may contact our Data Protection Officer by email at dpo@blockchain.com. Your personal data will be processed for the purposes of managing Controller’s recruitment related activities, which include setting up and conducting interviews and tests for applicants, evaluating and assessing the results thereto, and as is otherwise needed in the recruitment and hiring processes. Such processing is legally permissible under Art. 6(1)(f) of Regulation (EU) 2016/679 (General Data Protection Regulation) as necessary for the purposes of the legitimate interests pursued by the Controller, which are the solicitation, evaluation, and selection of applicants for employment.
Your personal data will be shared with Greenhouse Software, Inc., a cloud services provider located in the United States of America and engaged by Controller to help manage its recruitment and hiring process on Controller’s behalf. Accordingly, if you are located outside of the United States, your personal data will be transferred to the United States once you submit it through this site. Because the European Union Commission has determined that United States data privacy laws do not ensure an adequate level of protection for personal data collected from EU data subjects, the transfer will be subject to appropriate additional safeguards under the standard contractual clauses.
Your personal data will be retained by Controller as long as Controller determines it is necessary to evaluate your application for employment. Under the GDPR, you have the right to request access to your personal data, to request that your personal data be rectified or erased, and to request that processing of your personal data be restricted. You also have the right to data portability. In addition, you may lodge a complaint with an EU supervisory authority.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location