ProductSecurityLead

Cardless is the infrastructure that lets consumer brands put credit cards directly in their own product. Instead of sending customers off to a bank's website to manage their card, our platform handles the credit program end-to-end (applications, underwriting, servicing, rewards, compliance), so brands can build the card experience inside their own ecosystem. We power programs for Coinbase, Bilt, Qatar Airways, Alibaba, and others. We've raised $170M to date, most recently a $60M Series C led by Spark Capital. We're hiring a Product Security Lead to drive how we build security into the platform. The work spans authentication, authorization, anti-abuse controls, in-product fraud primitives, and the secure-by-design practices that come with running credit infrastructure for partners of this caliber. The role is hands-on and deeply cross-functional, working with Engineering, Risk, Compliance, Legal, and Data. You'll report to the Head of Engineering. RESPONSIBILITIES - Own the security model for our partner-facing APIs: authentication, authorization, tenant isolation, abuse prevention, signing, and audit logging. - Drive a coherent auth strategy across services and surfaces, including step-up auth for sensitive actions and a strong-auth roadmap (passkeys and beyond). - Build the device telemetry, behavioral signals, and velocity primitives that fraud and risk functions depend on. - Be the secure-by-design partner with Engineering — sit in on architecture reviews before features ship, write the threat models, own the tradeoffs. - Own secure SDLC: SAST/DAST, dependency scanning, secret detection, and the security tooling engineers interact with daily. - Coordinate with our infrastructure team to improve our security posture across the stack: from infrastructure, to supply chain, to first-party applications, to third-party dependencies and SaaS platforms. - Be the technical authority on sensitive payment data. Keep the footprint small and well-defined as the platform grows