Startale Group - Security Engineer

• Must-have • 5+ years of hands-on experience with a focus on application security, penetration testing, or product security. • Demonstrated ability to find vulnerabilities — through manual testing, architecture and/or code review, or creative attack simulation. You should be able to describe specific bugs you've found and how you found them. • Practical experience with exchange or trading platform security — from a DEX (preferred) or DeFi protocol. You should understand order book mechanics, transaction flows, wallet security, and the threat landscape specific to trading infrastructure. • exchange or trading platform security • Scripting and automation ability — you write tools and automate to scale security across the stack, not just audit and write reports. • Experience triaging vulnerabilities and writing clear, actionable remediation guidance for developers. • Strong written communication in English — you'll write tickets, assessment reports and researcher responses. • Strong plus • Experience with cloud infrastructure security — least-privilege enforcement, network security, secrets management. • Experience with container security — network policies, RBAC, pod security standards, image scanning, Dockerfile hardening, base image management. • Ability to read and review code in at least one of: TypeScript/JavaScript, Solidity, Rust. • Understanding of software supply chain security, including dependency risks, build integrity, and methods for tracking what components are included in shipped software. • Experience managing or participating in a bug bounty program (e.g. Immunefi, HackerOne). • Domain plus • Experience securing AI/LLM tooling in engineering teams — prompt injection risks, data leakage prevention, tool configuration hardening • AI/LLM tooling • Japanese language ability (not required, but useful for company context) • Location / Timezone • Location / Timezone • Strong preference for Tokyo-based or Singapore-based candidates - Startale office locations. • Remote-friendly for exceptional candidates — must have 3+ hours overlap with Tokyo business hours (JST, UTC+9). • Target start date • Target start date • As soon as available; realistic target start of Q3 2026. • Target companies • Target companies • Decentralized exchanges, DeFi protocols, blockchain security firms, L1/L2 chain security teams, or fintech companies with trading infrastructure. We're also open to strong AppSec engineers from cloud-native startups who have genuine interest in web3. • You're a hands-on security engineer who finds real vulnerabilities, not just runs scanners. You've secured a trading platform or exchange and understand the threats specific to financial infrastructure — order book manipulation, transaction signing, wallet compromise, front-running. You can take a system, map the attack surface, and come back with findings that matter. You write clear reports that engineers act on, and you know the difference between a theoretical risk and a real one. You're comfortable working independently in a fast-moving team where there's no playbook — you write the playbook.