Job Specifications
Our mission is to increase the success rate of small businesses. Traditional banking has been a growth limiter rather than a growth enabler for business owners, and we're changing that. Relay is the all-in-one, collaborative money management platform. We're building for employer SMBs and their finance function, internal and external, and are focused on delivering a human-centric customer experience. Ultimately, we help SMBs be 'on the money'.
We're looking for a Senior Application Security Engineer who thrives on autonomy, curiosity, and impact. You'll work across our stack (from TypeScript and Node.js, to Postgres and AWS cloud infrastructure) ensuring our applications are secure from design to deployment. You'll blend technical depth with systems thinking, working across teams to identify risks, build guardrails, and evolve our security practices as Relay scales.
This isn't a "ticket queue" role. Join AppSec to make Relay the safest financial platform for SMBs. You'll eliminate vulnerabilities before they ship, tame supply-chain risk, and raise the bar on identity, AI safety, and runtime assurance. As part of the platform team you will work closely with our Site Reliability Engineers to ensure that all of our production workloads are safe and secure.
What You'll Be Doing
Shift-left guardrails. Build and maintain secure-by-default libraries and CI checks (SAST/DAST/Secrets/SCA, threat-model gates) so PRs pass AppSec checks and Critical issues are not merged to the codebase. You will partner with product teams to make sure application security controls are in place and secure product standards are met before products ship to customers.
Identity & account protection. Engage stakeholders and business partners to harden authentication (e.g., passkeys/WebAuthn), step-up flows, and session controls; drive measurable reduction is security violations.
Software supply chain. Enforce provenance: SBOM on every build, dependency pinning/owner verification, private registries/proxies, and runtime SCA detections.
SDLC & IDE integration. Embed security into CI/CD (GitHub Actions, pipelines) across JS/TS/Python/More services; Maintain secure coding capabilities with IDE integration for all delivery teams.
Cloud & infra security. Partner with SRE's to enable infrastructure security and embed security features into core applications and workflows.
AI security. Guide features through AI risk reviews; cover OWASP Top 10 for LLMs; add safeguards for prompt injection, data leakage, and excessive agency; govern AI-generated code in CI.
Threat intel & offensive testing. Track emerging attacks (esp. npm and fintech), run targeted black-box tests, support red/purple team exercises, and publish actionable playbooks.
VDP & bug bounty. Triage researcher reports, reproduce/assess impact, coordinate fixes with owners, and close the loop with clear comms and durable controls.
Tooling: You have experience working with security tooling and monitoring / alerting systems.
Evangelize security. Mentor team members on secure patterns; write concise guidance and runbooks that accelerate delivery rather than slow it down.
Who You Are
Experience: You have 5+ years of experience in Application Security, Product Security, Penetration Testing, or similar roles.
Software Development: you are an expert in JavaScript, TypeScript, and Python, you can review PRs, contribute code, and create secure libraries in these languages.
Security fundamentals: Deep understanding of OWASP Top 10 and real-world exploitation/mitigation techniques. Enablement focused: you strive to accelerate development teams and value guardrails over gates.
Clear communicator & collaborator: you are a collaborator who loves to partner with developers to bring value to customers in the most secure way possible.
Ownership: You have a sense of responsibility towards problems and take ownership over them making sure nothing is forgotten and stakeholders stay informed.
Mentorship: You are comfortable mentoring team members and members of other teams on security best practices.
Bonus Points
Implemented passkeys/WebAuthn or phishing-resistant MFA at scale.
Experience with Socket.dev, Semgrep, Datadog AppSec, GitHub Advanced Security, ZAP/IAST, Burp Suite.
Built private npm proxies, artifact repos, and SLSA-aligned pipelines.
Led or contributed to red/purple team exercises and game days.
Fintech/regulatory experience; Experience working in compliant environments such as SoC2
Securing AI workflows and products.
You've joined a company at its early stages and have seen it through scale
Show us your home lab!
Our Commitment to You
Competitive salary and meaningful equity: Relay employees are Relay owners, complete with equity and a competitive salary.
Comprehensive health benefits: enjoy full health benefits from day one. We offer flexible Health or Wellness Spending Accounts and medical, dental, and vision coverage for you and your dependents.
Flexible vacation and time off: every tea
About the Company
Small business banking and money management tools to put you in complete control of what your business is earning, spending and saving. The official banking platform of Profit First. Bank with Relay for: No fees or minimum balances that tie up cash flow Up to 20 checking accounts to organize income and expenses Spending management using 50 physical or virtual debit cards Payments and deposits via ACH transfers, checks and wires Secure, role-based access to team members and financial advisors Personalized customer suppo...
Know more