Senior Security Engineering Manager (Product Security)

Role overview

Lead security engineering at Upstart by scaling security practices across application security, infrastructure security, offensive security, and product security. Partner with engineering and business teams to identify high-priority risks, align on pragmatic mitigations, and embed security early in planning and development.

Key responsibilities

• Define and lead the Security Engineering roadmap across application, infrastructure, offensive, and product security.
• Manage, train, and develop a team of security engineers with clear goals, measurable impact, and growth opportunities.
• Collaborate with Engineering, Product, Infrastructure, Risk, Compliance, and Audit teams to identify priority security risks and align on mitigations.
• Establish operating processes for the security program, including priorities, metrics, and reporting for leadership.
• Improve product security outcomes by building/scaling security engineering functions and developer security guardrails.

Requirements

• Experience leading security engineering programs in at least two domains: application security, infrastructure security, offensive security, product security, cloud security, or secure SDLC.
• Cross-functional partnership experience with Engineering, Product, Infrastructure, Risk, Compliance, and Audit.
• Strong understanding of modern architectures (e.g., APIs, web apps, cloud-native services), identity & access controls, CI/CD pipelines, and common vulnerability classes.
• 8+ years in security engineering/software/infrastructure/offensive/product security or related roles.
• 3+ years leading or formally developing security engineers/technical teams.
• Experience defining roadmaps, priorities, metrics, and operating processes for security programs.
• Knowledge of AWS, Kubernetes, containers, CI/CD security, IaC security, IAM, vulnerability management, API security, and modern application security testing.
• Experience managing security work in regulated/fintech environments or similarly high compliance settings.
• Familiarity with security considerations for AI/ML systems and/or data-intensive, lending/fintech platforms.
• Hands-on experience scaling security tooling such as:
  • SAST, DAST, SCA
  • IaC scanning and secrets detection
  • attack surface management, bug bounty intake
  • penetration testing workflows and vulnerability management platforms
• Ability to communicate technical risk, tradeoffs, and recommendations to both technical and senior leadership audiences.
• Security certifications such as CISSP, CSSLP, CCSP, AWS Security Specialty, GIAC, OSCP, or equivalent.

Nice-to-haves

• Exposure to regulated financial technology and high-trust customer-facing product security.
• Experience integrating security outcomes across Legal, Risk, Compliance, and Audit to reduce friction while improving security posture.