Product Security Engineer

Greenlight is the leading family fintech company on a mission to help parents raise financially smart kids. We proudly serve more than 6 million parents and kids with our award-winning banking app for families. With Greenlight, parents can automate allowance, manage chores, set flexible spend controls, and invest for their family’s future. Kids and teens learn to earn, save, spend wisely, and invest.

At Greenlight, we believe every child should have the opportunity to become financially healthy and happy. It’s no small task, and that’s why we leap out of bed every morning to come to work. Because creating a better, brighter future for the next generation depends on it.

We are seeking an experienced and motivated Staff Product Security Engineer to join our growing Security team. This individual will be responsible for the end-to-end security of our consumer products, digital platform and an emerging hardware device line. The Staff Product Security Engineer will drive security review, threat modeling programs, lead penetration testing, manage PSIRT operations, champion secure AI adoption and establish security guardrails for AI powered products and AI assisted development workflows within a highly regulated financial services environment.

This role reports to the Senior Manager of Product Security.

• Lead security architecture/design review and threat modeling sessions with product and engineering teams using STRIDE, PASTA and attack tree methodologies.
• Translate threats into actionable, risk-rated engineering remediations prioritized by severity.
• Conduct hands‑on penetration testing and security assessments across our full product stack producing actionable reports for engineering and leadership.
• Red‑Team our AI powered products and development tools to test for prompt injection, data exfiltration, MCP server exploitation, and tool misuse. Probe AI guardrails to ensure they hold. Experience with product security tools such as Burp Suite, Metasploit, Kali Linux, Postman, etc.
• Drive PSIRT Operations by triaging incoming vulnerability reports, leading technical investigations, coordinating remediation with engineering, scoring severity (CVSS), managing coordinated disclosure with external researchers and on‑call incidents. This includes managing zero day findings, driving remediation, collaborating with engineering to patch or mitigate with compensating controls.
• Shape the posture of our AI assisted development environment defining and enforcing enterprise policies for Claude and Cursor.
• Partner across the organization, sitting in design review with architects, advising product managers and engineering teams on security and compliance implications of new features, briefing executives on emerging AI threats, mentoring junior security engineers and collaborating with the AI team on securing ML pipelines.
• Champion Security Culture by running developer training on secure coding with AI assistants, evangelizing security by design for products and ensuring every engineer understands that product security is an enabler and not a gate.

• 10+ years of product security experience spanning application security, cloud security, and secure SDLC. You will have full SDLC experience from design through development, deployment and incident response.
• Expert level Threat Modeling using STRIDE, PASTA or equivalent across web, mobile, cloud, embedded and AI systems.
• Hands‑on penetration testing skills across applications, API, cloud infrastructure, and hardware/firmware. You think like an attacker and you can provide it through published research, CVE discoveries, bug bounty results or red‑team engagements.
• PSIRT operational experience from vulnerability intake and triage. You are fluent in CVE, CVSS, FIRST PSIRT frameworks.
• Deep hands‑down AI security expertise and expert level understanding of OWASP Top 10 for LLM, API, Web, Mobile and have practical experience with MITRE.
• Strong hands‑on experience in security tools SAST, DAST, SCA, and securing AI development tools specifically Claude and Cursor.
• You understand MCP security risks and know how to architect enterprise guardrails that…