Senior Security Engineer

About the role

We are looking for a Senior Security Engineer with strong crypto and Web3 domain knowledge to join our Engineering team. You will be part of a collaborative team headquartered in Tokyo (Shibuya), operating on Japan Standard Time. We are hiring across APAC for candidates who can work in close timezone alignment with the Tokyo team. Reporting directly to the Director of Engineering, you will own the security posture of our products and infrastructure from end to end, spanning application security, cloud and Kubernetes environments, smart contract security, security operations, and compliance. This is a high-impact role based in our Tokyo office, or fully remote from within the APAC region. You must be physically located in Japan or a nearby APAC country with working hours that fully overlap with Japan Standard Time (JST/UTC+9). Candidates outside APAC who plan to work night shifts to cover JST will not be considered. You will work closely with our DevOps and Engineering teams across an AWS-native, containerized stack, and help us stay ahead of the rapidly evolving, AI-accelerated threat landscape in the crypto and Web3 space.

Key responsibilities

• Lead the design and implementation of security controls across AWS, EKS/Kubernetes, CI/CD (Jenkins, GitHub Actions, ArgoCD), and AI/agentic engineering workflows.
• Own threat modelling, risk assessments, and security architecture reviews across infrastructure, applications, and AI-driven systems.
• Drive vulnerability management end-to-end — including code, infrastructure, and AI-generated artifacts — using tools such as NewRelic, Bugsnag, and security scanners.
• Define and enforce secure coding and AI usage standards, including guardrails for LLMs, copilots, and automated workflows.
• Build and operate security monitoring, alerting, and incident response capabilities, including detection and handling of AI/agent-related risks.
• Evaluate and manage security and AI tooling (SAST/DAST, SIEM, EDR, secrets management), ensuring least-privilege access and secure integrations.
• Harden infrastructure and data layers (Terraform, IAM, VPC, Cloudflare, Cassandra, Kafka, Redis), including protections against unauthorized or automated actions.
• Drive compliance (SOC 2, ISO 27001) with a focus on auditability, data protection, and governance of AI systems.
• Act as a security leader — educating teams, shaping best practices, and staying ahead of threats across AI, cloud, and Web3 (smart contracts, key management, bridges).
• Partner with blockchain/product teams to mitigate risks in decentralized systems.
  

Requirements

We are looking for someone with hands-on experience across both offensive and defensive security disciplines:

• Based in APAC, within roughly ±2 hours of Japan Standard Time (JST/UTC+9), e.g., Japan, South Korea, Taiwan, Philippines, eastern Australia, etc. Full daily overlap with Tokyo working hours is required. 
• 5–8 years in security engineering across application, cloud, and infrastructure security.
• Strong understanding of crypto/Web3 security (smart contracts, wallet/key management, blockchain attack vectors).
• Deep hands-on experience securing AWS (IAM, VPC, EKS, S3, EC2) and Kubernetes environments.
• Proficiency in AppSec (OWASP Top 10, secure SDLC, code reviews) and common security tooling (SAST/DAST, SIEM, secrets management).
• Solid foundation in network security, cryptography, and auth protocols (OAuth, SAML, MFA).
• Experience with incident response, threat modelling, and frameworks like MITRE ATT&CK.
• Familiarity with compliance standards (SOC 2, ISO 27001, NIST, GDPR).
• Strong communication skills and ability to operate autonomously.

Nice to have 

• Certifications (CISSP, OSCP, AWS Security, etc.).
• DevSecOps experience and CI/CD security integration.
• Experience with Cloudflare, service mesh (Istio), or microservices security.
• Background in software engineering (Java, Rust, TypeScript).
• Smart contract auditing or Web3 tooling (Slither, MythX, Certora, on-chain monitoring).
• Experience building or scaling a security function.