About Pylon

America’s $13T mortgage market is one of the most important financial systems in the world. It underwrites the middle class and is the mechanism through which millions of families build wealth. But while every other financial instrument has been simplified to an API call, mortgages are still assembled by hand.

We started from zero and created the first vertically integrated mortgage platform that turns origination into a single API.

Publicly traded companies and the country’s largest originators are already building on Pylon. Revenue is compounding monthly. We’re backed by Peter Thiel, Conversion Capital, QED, Citi, Fifth Wall, and the founders of Ramp, Blend, and Mercury.

Working at Pylon isn’t for those seeking comfort. The people who thrive here have high agency, strong opinions, and a track record of delivering outcomes without direction. Many of us are former founders. We move quickly, challenge each other directly, and take full ownership of results. It’s hard work, but it will be worth it.

Join us in building America’s mortgage rails.

The Role

You'll be our first dedicated security engineer, taking ownership of security across our mortgage infrastructure platform. As a regulated financial institution handling sensitive borrower data, security is foundational to everything we build.

This means:

• Hands-on security engineering: You'll write code. Lots of it. This isn't a policy or compliance role. You'll build security infrastructure, implement controls, and integrate security into our development workflow.

• Technical leadership: You'll work directly with the CTO and engineering team to make security decisions that affect our architecture. You need to argue convincingly for security priorities while understanding the trade-offs.

• End-to-end ownership: From application security to infrastructure hardening to incident response. You'll assess what needs attention, prioritize ruthlessly, and execute.

• Building for scale: The security infrastructure you build needs to work today and scale as we grow. You'll set patterns that other engineers follow.

• Embedded engineering: You're not a separate security team. You're an engineer who happens to specialize in security, working alongside the rest of engineering to ship secure systems.

What We're Looking For

Experience: 6-10+ years in security engineering at high-growth tech companies, with significant time at companies known for strong security cultures. You've built security programs.

Technical: Strong systems and application security background. You can read and write code fluently across multiple languages. You understand distributed systems, APIs, databases, and cloud infrastructure well enough to secure them properly.

Basics

• Job title: Lead Security Engineer

• Stock options: own a piece of the company and we all win together

• Health insurance, 401K, dental, etc.

Our technology stack:

We don't require that you've worked with any of these technologies before, this is just our stack for your information:

• TypeScript/Node.js (NestJS)

• PostgreSQL

• AWS infrastructure

• Web components (Lit), React

• GraphQL APIs

About you

You:

Are dangerous with a keyboard. You write production code regularly. You can implement security controls, build tooling, automate checks, and integrate security into CI/CD. This is not a policy or architecture-only role.

Think like an attacker and a builder. You can identify vulnerabilities and threat vectors, and you understand how to build systems that are secure by default. You know what actually reduces risk versus what just looks good.

Can make the case. Security decisions often require trade-offs. You can articulate why something matters, what the actual risks are (not FUD), and convince engineers to do the right thing without being dogmatic.

Prioritize ruthlessly. Not everything can be perfect on day one. You can assess risk, determine what's urgent versus what can wait, and focus effort where it matters most. Perfect is the enemy of shipped.

Understand the domain deeply. You've worked in regulated industries or with sensitive data. You understand compliance requirements and know that passing an audit requires actual security.

Build for engineers. Security controls that engineers route around are useless. You design systems that make the secure path the easy path. You understand developer experience matters.

Have strong opinions that you're willing to defend. We have a culture of vigorous discussion and debate on technical decisions. We'll push you to defend your choices, and we want you to push back.

Don't settle. Challenge yourself to frequently and consistently deliver exceptional work. If something could be more secure, take the initiative to improve it.

Have great ideas, and lots of them. You should see opportunities all around you to make our systems more secure. We'll give you an environment where you can act on those ideas.

Are self-motivated. You can take a goal and drive towards it without needing extensive hand-holding. The team is supportive and loves to share knowledge and advice, but there's no time for micromanaging your work.

Are comfortable with ambiguity. There's a million ways to secure a system; you should feel at ease making a decision under uncertainty while balancing competing constraints.

Are confident you can learn quickly. Mortgage is complex, our platform is complex, good security engineering is complex. You've got to have an attitude that you can absorb it, get on top of it, and build something better than what came before.

Love strong typing. We're a team full of people who love Haskell and Rust (and Idris!) and take pride in pushing Typescript to its limits. Type safety is security.

About the Team

What we're not:

A compliance checkbox:

• We're not looking for someone to run audits and fill out questionnaires. We need someone building actual security.

• If you think security means following frameworks without understanding why, Pylon will be frustrating for you.

A separate security organization:

• You won't have a team of security analysts reporting to you. You'll be embedded with engineering, influencing how we build, not reviewing after the fact.

• If you need organizational authority to get things done rather than technical credibility, this isn't the role.

An easy job:

• We're building a lot of things from the ground up for the first time. Working at Pylon is like a research project where you have to ship to intelligent, opinionated customers regularly.

• It's basically guaranteed you'll be handed a task that is too difficult for you to do. You might fail sometimes. You might have no idea where to start. Our team leans heavily on each other, but there's no getting around the difficulties.

What we are:

A small team:

• We don't have an army of engineers. If you find a security gap, you are probably the best one to fix it.

• All the code we write has to punch above its weight in maintainability and toil reduction.

• If you have a good idea, you have much more ability to put it into action than at a large company.

Working in a regulated space:

• Mortgage is regulated both federally and at the state level.

• We handle extremely sensitive financial data. Security failures have real consequences.

• We move fast, but breaking things isn't an option.