Security Lead Engineer

About Whop

Whop is a financial technology company on a mission to provide the world with sustainable income. Our vision is to create the world’s largest internet market, where people can create, connect, and transact all from a single platform. Whop enables individuals and businesses to accept payments, launch ventures, and engage with others across the network. 

Today, Whop facilitates over $3 billion in annual payouts to people in 144 countries. Growth continues to accelerate, with gross transaction volume increasing roughly 25% month over month. 

Whop has raised hundreds of millions from institutional investors like Insight, Bain Capital Ventures, A*, and Peter Thiel — including a recent strategic investment from Tether, the largest stablecoin company in the world.

Our current team is made up of young, passionate entrepreneurs who grew up on the internet — over 75% built a business before joining Whop, including 53 former founders and 30 who scaled past $1M in revenue. Product leadership includes backgrounds from Meta and Robinhood.

For more information, visit whop.com.

About the role

Whop is hiring our first dedicated security hire.  You will work closely with our CTO to uplevel the team’s security posture. 

This role is responsible for owning all security outcomes: infrastructure, compliance, external programs, and internal security. You'll drive execution and hold an extremely high bar for our security posture. We are looking for someone highly technical – an engineer first.   The ideal candidate is a backend/infra engineer who evolved into security — you owned security at a startup because no one else would.

We're mid-SOC2 with a handful of vendors supporting our IT and Security. You'll inherit these relationships and make them yours, and work across every internal team to drive execution. You'll work closely with the CTO, head of legal, chief of staff, and head of ops.

This is a hands-on role. We are looking for a technical individual contributor to independently build these programs from scratch. 

Scope:

• Own SOC2 and data privacy compliance (audits, GDPR, CCPA)
• Own infrastructure security (AWS, Vercel, Cloudflare, PlanetScale - secrets, access controls, monitoring)
• Own security incident response (detection, triage, remediation, post-mortems)
• Own external security programs (bug bounty, pen tests, threat monitoring)
• Own internal security (IT vendor, device security, office security, training)
• First line of escalation for all security issues

What we’re looking for

• Highly technical — understands backend systems, infra, APIs, how things break. Can actually fix issues, not just identify them
• Extremely organized, high attention to detail
• High agency, scrappy, and urgent
• Extremely clear communicator - written and verbal
• Paranoid in the right way - thinks like an attacker to protect us
• Willing to push back, but trusted enough that people listen
• Highly available and responsive
• Always learning, loves to teach
• Builds systems that make you redundant over time
• 5+ years in security, has owned a program before
• Low-ego - cares about outcomes, not credit
• Uses modern tools (AI agents), and stays current on threat landscape 
• Constantly monitors and adjusts what you ship
• Series A/B or high-growth startup experience preferred

Your first 90 days will look like the following:

• Within 30 days, you’ve mapped how access, data, money, and production systems actually work at Whop. Incident detection is materially improved through stronger logging and monitoring, with clear signals for suspicious access and misuse. You’ve established clean ownership and escalation for security incidents, tightened obvious risk boundaries, and taken ownership of all security-relevant systems and vendors without broadcasting internal gaps.

• Within 60 days, security fundamentals are standardized and enforced through engineering systems, not policy alone. Identity, access, secrets, devices, production access, and financial systems operate on least-privilege defaults with strong auditability and fast revocation. Guardrails are embedded into workflows so engineers and operators naturally do the safe thing. SOC 2 is in final stages as a consequence of these systems being in place and actively used.

• Within 90 days, Whop’s security posture is durable under real-world pressure. External security programs are live, incidents are detected early and handled predictably, and critical systems are resilient to abuse, compromise, and traffic spikes. Sensitive data is controlled and minimized by default. Employees can safely use modern tools, including AI, without creating hidden risk. SOC 2 is complete, policies are followed in practice, and security runs autonomously day-to-day with minimal CTO involvement.

   

Benefits Overview

✅ Minimum cash comp of $250,000K + a competitive equity package

❤️ Unlimited PTO, with full health, vision, dental coverage

🍕 Lunch & dinner paid for Monday thru Friday

💻 3k ramp card to get you the latest Macbook Pro & tech accessories

This role is a Security Lead Engineer who will report to the CTO.