🎯 Atlys' mission is to enable every person on earth to travel freely.

At Atlys, we believe that the path to creating a more open world is by making it efficient to travel. Travelers cite visas as the most frustrating pain point, and we're starting by automating that completely. We're looking for talented people who are interested in building the future of travel alongside us.

Building technology to increase global movement liquidity will be one of the most exciting developments in decades. If you are curious why the smartest people want to work at Atlys, read this post.

We’re looking for engineers with grit and vision who want to build a modern platform to make travelling efficient and delightful. This role is critical in achieving our goals - expanding coverage to support more destinations worldwide, automating entire processes and reducing support volume to offer a truly self-serve experience. We talk to customers daily, ship code several times a day, and measure every little interaction!

We're hiring our Founding Security Engineer to own Application Security. This is an AppSec heavy role. To start with, you'll focus entirely on finding and fixing vulnerabilities in our web applications, mobile apps, and APIs. Your mission is to ensure our applications are secure.

This isn't a checkbox compliance role. This is a hands-on security testing position where you'll be hunting for vulnerabilities, working directly with developers to fix them, and building a security-first culture within engineering.

The Job

Security Testing & Vulnerability Hunting (60%):

• Manual Penetration Testing: Conduct regular security assessments of our web applications, mobile apps (Android/iOS), and REST APIs

• Vulnerability Discovery: Find security flaws through manual testing, not just automated scanning - business logic flaws, authorization issues, authentication bypasses, injection vulnerabilities

• Mobile Application Security: Test Android and iOS applications for vulnerabilities specific to mobile (insecure data storage, SSL pinning issues, mobile-specific attack vectors)

• API Security Testing: Assess REST APIs serving all our end user segments - B2C, B2E, B2G government integrations

• Security Code Reviews: Review code for security issues in critical flows (authentication, authorization, document handling, payment processing)

Vulnerability Management (25%):

• Vulnerability Remediation: Work closely with development teams to ensure vulnerabilities are fixed according to defined SLAs based on severity

• Retest & Validation: Verify fixes are effective and don't introduce new vulnerabilities

• Vulnerability Database: Maintain a database of findings, track remediation status, generate metrics

• Bug Bounty Program: Run and manage our bug bounty program - triage findings, validate vulnerabilities, work with researchers, manage disclosures

Security Program Building (15%):

• Secure Coding Guidelines: Create and maintain secure coding standards for our engineering team

• Security Training: Conduct developer security training - both formal sessions and ad-hoc guidance

• Threat Modeling: Participate in design reviews for new features to identify security risks early

• Security Champions: Build a security champions program within engineering teams

• Security Documentation: Create runbooks, security testing guides, and vulnerability remediation playbooks

The Ideal Candidate

Must-Have:

• Passionate about Security: We are looking for someone who lives and breathes security, understands security concepts in depth

• Skin in the game: Someone who has high ownership and bias for action

• 3+ years of hands-on application security testing experience - we need someone who's already good at finding vulnerabilities/security issues and has the knack and passion for it

• Manual penetration testing skills - you can find vulnerabilities that scanners miss, understand attack chains, and think like an attacker

• Deep OWASP Top 10 knowledge - not just awareness, but practical experience exploiting and remediating these vulnerability classes

• Tool proficiency: Burp Suite (must-have), OWASP ZAP, MobSF, or similar application security testing tools

• Mobile security experience - Android and/or iOS security testing (SSL pinning, insecure storage, mobile-specific attack vectors)

• API security testing - experience testing REST APIs for authentication, authorization, and injection flaws

• Strong communication - you'll explain vulnerabilities to developers and security risks to leadership in a way they understand

• Autonomous work style - you'll be the only dedicated security engineer initially, so you need to drive your own work and priorities.
  

Strong Plus:

• Bug bounty experience - active participation or CVE assignments reported

• Security research - If you have blog posts, write-ups where you have shown your security work

• Multi-platform testing - experience with web, mobile, API, client security

• Code reading ability - can review code in Python, NodeJS, Go to find vulnerabilities

• Business logic flaw experience - can identify flaws in application workflow, not just technical vulnerabilities
  

Nice-to-Have:

• Compliance knowledge (SOC 2, ISO 27001)

• Development background (former developer transitioning to security)

• Scripting skills for automation

Why This Role is Unique

• Pure AppSec focus: No infrastructure distractions, no compliance checkbox work - just find and fix vulnerabilities

• First security hire: Define how we approach application security from scratch

• Direct impact: Your work directly protects passport data and sensitive documents for thousands of travelers

• Autonomy: Drive your own testing roadmap, decide what to test and when

• Work with strong engineering team: Partner with our developers to drive security measures across our applications

• Cross-cultural impact: Secure applications serving users from 200+ countries
  

Why Atlys?

• Build a security program from the ground up with full leadership support.

• Work on technology that enables global movement - one of the most exciting developments in decades

• Fast-paced, high-trust environment with significant ownership

• Competitive compensation and Series B equity

• Smart colleagues who ship fast