Lead Security Engineer
Company: Pylon
Location: San Francisco
Posted on: April 1, 2026
|
|
|
Job Description:
The $13T mortgage industry at the heart of the American economy
still runs on phone calls, browser tabs, and 20th-century
workflows. While payments and banking moved into the API era,
mortgage origination costs have doubled to $12,000 per
loan…undermining originator economics and homeowner affordability.
While others continue to optimize around the edges, we’re
rebuilding America’s mortgage infrastructure from the ground up,
vertically integrating mortgage origination from application to
settlement. We’re already powering mortgage products for multiple
publicly traded companies, our revenue is doubling month over
month, and we’re backed by the architects of the modern fintech
stack (Peter Thiel, Conversion Capital, QED, Citi, Fifth Wall, and
the founders of Ramp, Blend, and Mercury). At Pylon, we're a small
team building a very ambitious product in the mortgage space. We're
in search of people who find difficult problems invigorating and
who fit well into a high-performing team built on mutual respect
and reliance. If you like pushing yourself to learn a massive
amount while shipping code that has a huge impact on the end
product, Pylon Engineering could be a great place for you. About
the Job The Role You'll be our first dedicated security engineer,
taking ownership of security across our mortgage infrastructure
platform. As a regulated financial institution handling sensitive
borrower data, security is foundational to everything we build.
This means: Hands-on security engineering : You'll write code. Lots
of it. This isn't a policy or compliance role. You'll build
security infrastructure, implement controls, and integrate security
into our development workflow. Technical leadership : You'll work
directly with the CTO and engineering team to make security
decisions that affect our architecture. You need to argue
convincingly for security priorities while understanding the
trade-offs. End-to-end ownership : From application security to
infrastructure hardening to incident response. You'll assess what
needs attention, prioritize ruthlessly, and execute. Building for
scale : The security infrastructure you build needs to work today
and scale as we grow. You'll set patterns that other engineers
follow. Embedded engineering : You're not a separate security team.
You're an engineer who happens to specialize in security, working
alongside the rest of engineering to ship secure systems. What
We're Looking For Experience: 6-10 years in security engineering at
high-growth tech companies, with significant time at companies
known for strong security cultures. You've built security programs.
Technical: Strong systems and application security background. You
can read and write code fluently across multiple languages. You
understand distributed systems, APIs, databases, and cloud
infrastructure well enough to secure them properly. Basics Job
title: Lead Security Engineer Stock options: own a piece of the
company and we all win together Health insurance, 401K, dental,
etc. Our technology stack: We don't require that you've worked with
any of these technologies before, this is just our stack for your
information: TypeScript/Node.js (NestJS) PostgreSQL AWS
infrastructure Web components (Lit), React GraphQL APIs About you
You: Are dangerous with a keyboard. You write production code
regularly. You can implement security controls, build tooling,
automate checks, and integrate security into CI/CD. This is not a
policy or architecture-only role. Think like an attacker and a
builder. You can identify vulnerabilities and threat vectors, and
you understand how to build systems that are secure by default. You
know what actually reduces risk versus what just looks good. Can
make the case. Security decisions often require trade-offs. You can
articulate why something matters, what the actual risks are (not
FUD), and convince engineers to do the right thing without being
dogmatic. Prioritize ruthlessly. Not everything can be perfect on
day one. You can assess risk, determine what's urgent versus what
can wait, and focus effort where it matters most. Perfect is the
enemy of shipped. Understand the domain deeply. You've worked in
regulated industries or with sensitive data. You understand
compliance requirements and know that passing an audit requires
actual security. Build for engineers. Security controls that
engineers route around are useless. You design systems that make
the secure path the easy path. You understand developer experience
matters. Have strong opinions that you're willing to defend. We
have a culture of vigorous discussion and debate on technical
decisions. We'll push you to defend your choices, and we want you
to push back. Don't settle. Challenge yourself to frequently and
consistently deliver exceptional work. If something could be more
secure, take the initiative to improve it. Have great ideas, and
lots of them. You should see opportunities all around you to make
our systems more secure. We'll give you an environment where you
can act on those ideas. Are self-motivated. You can take a goal and
drive towards it without needing extensive hand-holding. The team
is supportive and loves to share knowledge and advice, but there's
no time for micromanaging your work. Are comfortable with
ambiguity. There's a million ways to secure a system; you should
feel at ease making a decision under uncertainty while balancing
competing constraints. Are confident you can learn quickly.
Mortgage is complex, our platform is complex, good security
engineering is complex. You've got to have an attitude that you can
absorb it, get on top of it, and build something better than what
came before. Love strong typing. We're a team full of people who
love Haskell and Rust (and Idris!) and take pride in pushing
Typescript to its limits. Type safety is security. About the Team
What we're not: A compliance checkbox: We're not looking for
someone to run audits and fill out questionnaires. We need someone
building actual security. If you think security means following
frameworks without understanding why, Pylon will be frustrating for
you. A separate security organization: You won't have a team of
security analysts reporting to you. You'll be embedded with
engineering, influencing how we build, not reviewing after the
fact. If you need organizational authority to get things done
rather than technical credibility, this isn't the role. An easy
job: We're building a lot of things from the ground up for the
first time. Working at Pylon is like a research project where you
have to ship to intelligent, opinionated customers regularly. It's
basically guaranteed you'll be handed a task that is too difficult
for you to do. You might fail sometimes. You might have no idea
where to start. Our team leans heavily on each other, but there's
no getting around the difficulties. What we are: A small team: We
don't have an army of engineers. If you find a security gap, you
are probably the best one to fix it. All the code we write has to
punch above its weight in maintainability and toil reduction. If
you have a good idea, you have much more ability to put it into
action than at a large company. Working in a regulated space:
Mortgage is regulated both federally and at the state level. We
handle extremely sensitive financial data. Security failures have
real consequences. We move fast, but breaking things isn't an
option.
Keywords: Pylon, North Highlands , Lead Security Engineer, IT / Software / Systems , San Francisco, California
