Security Lead Engineer

<h3><strong>About Whop</strong></h3> <p>Whop is a financial technology company on a mission to provide the world with sustainable income. Our vision is to create the world’s largest internet market, where people can create, connect, and transact all from a single platform. &nbsp;</p> <p>Today, Whop facilitates over $3 billion in annual payouts to people in 144 countries.

</p> <p>Our current team is made up of young, passionate entrepreneurs who grew up on the internet — over 75% built a business before joining Whop, including 53 former founders and 30 who scaled past $1M in revenue. &nbsp;</p> <p>This role is responsible for owning all security outcomes: infrastructure, compliance, external programs, and internal security.

You'll drive execution and hold an extremely high bar for our security posture. We are looking for someone highly technical – an engineer first. </p> <p>We're mid-SOC2 with a handful of vendors supporting our IT and Security. You'll inherit these relationships and make them yours, and work across every internal team to drive execution. </p> <p>This is a hands-on role.

&nbsp;</p> <p><strong>Scope:</strong></p> <ul> <li>Own SOC2 and data privacy compliance (audits, GDPR, CCPA)</li> <li>Own infrastructure security (AWS, Vercel, Cloudflare, PlanetScale - secrets, access controls, monitoring)</li> <li>Own security incident response (detection, triage, remediation, post-mortems)</li> <li>Own external security programs (bug bounty, pen tests, threat monitoring)</li> <li>Own internal security (IT vendor, device security, office security, training)</li> <li>First line of escalation for all security issues</li> </ul> <h3><strong>What we’re looking for</strong></h3> <ul> <li>Highly technical — understands backend systems, infra, APIs, how things break.

Can actually fix issues, not just identify them</li> <li>Extremely organized, high attention to detail</li> <li>High agency, scrappy, and urgent</li> <li>Extremely clear communicator - written and verbal</li> <li>Paranoid in the right way - thinks like an attacker to protect us</li> <li>Willing to push back, but trusted enough that people listen</li> <li>Highly available and responsive</li> <li>Always learning, loves to teach</li> <li>Builds systems that make you redundant over time</li> <li>5+ years in security, has owned a program before</li> <li>Low-ego - cares about outcomes, not credit</li> <li>Uses modern tools (AI agents), and stays current on threat landscape&nbsp;</li> <li>Constantly monitors and adjusts what you ship</li> <li>Series A/B or high-growth startup experience preferred</li> </ul> <h3><strong>Your first 90 days will look like the following:</strong></h3> <ul> <li> <p class="p1"><span class="s1">Within 30 days</span>, you’ve mapped how access, data, money, and production systems actually work at Whop.

Incident detection is materially improved through stronger logging and monitoring, with clear signals for suspicious access and misuse. </p> </li> <li> <p class="p1"><span class="s1">Within 60 days</span>, security fundamentals are standardized and enforced through engineering systems, not policy alone.

Identity, access, secrets, devices, production access, and financial systems operate on least-privilege defaults with strong auditability and fast revocation. Guardrails are embedded into workflows so engineers and operators naturally do the safe thing. </p> </li> <li> <p class="p1"><span class="s1">Within 90 days</span>, Whop’s security posture is durable under real-world pressure.

External security programs are live, incidents are detected early and handled predictably, and critical systems are resilient to abuse, compromise, and traffic spikes. Sensitive data is controlled and minimized by default. Employees can safely use modern tools, including AI, without creating hidden risk.