Security Lead

NYC or Palo Alto preferred, open to remote (US, CA). English-first communicator required — your writing goes directly to vendors, auditors, and customers without review.

About Whop

Whop is the ultimate virtual market that lets people earn money by starting shops and creating content. We deliver $2.5B per year in income to people across the globe and have more than 5M monthly users.

About the role

Whop is hiring our first dedicated security hire. You will work closely with our CTO to uplevel the team’s security posture.

This role is responsible for owning all security outcomes: infrastructure, compliance, external programs, and internal security. You'll drive execution and hold an extremely high bar for our security posture. We are looking for someone highly technical – an engineer first. The ideal candidate is a backend/infra engineer who evolved into security — you owned security at a startup because no one else would.

We're mid-SOC2 with a handful of vendors supporting our IT and Security. You'll inherit these relationships and make them yours, and work across every internal team to drive execution. You'll work closely with the CTO, head of legal, chief of staff, and head of ops.

This is a hands-on role. We are looking for a technical individual contributor to independently build these programs from scratch.

Scope:

• Own SOC2 and data privacy compliance (audits, GDPR, CCPA)
• Own infrastructure security (AWS, Vercel, Cloudflare, PlanetScale - secrets, access controls, monitoring)
• Own security incident response (detection, triage, remediation, post-mortems)
• Own external security programs (bug bounty, pen tests, threat monitoring)
• Own internal security (IT vendor, device security, office security, training)
• First line of escalation for all security issues

What we’re looking for

• Highly technical — understands backend systems, infra, APIs, how things break. Can actually fix issues, not just identify them
• Extremely organized, high attention to detail
• High agency, scrappy, and urgent
• Extremely clear communicator - written and verbal
• Paranoid in the right way - thinks like an attacker to protect us
• Willing to push back, but trusted enough that people listen
• Highly available and responsive
• Always learning, loves to teach
• Builds systems that make you redundant over time
• 5+ years in security, has owned a program before
• Low-ego - cares about outcomes, not credit
• Uses modern tools (AI agents), and stays current on threat landscape
• Constantly monitors and adjusts what you ship
• Series A/B or high-growth startup experience preferred

Your first 90 days will look like the following:

• Within 30 days, you’ve audited our current security posture, met all stakeholders, and fully own the SOC 2 process and IT/security vendor relationships
• Within 60 days, you’ve taken Whop’s existing SOC 2 effort across the finish line (or are in final audit stages). Core infrastructure security is locked down, vendors are executing, and policies, runbooks, and incident response procedures are documented and in use
• Within 90 days, our external security program is live (bug bounty, pen tests, threat monitoring). You’re running security autonomously day-to-day, with the CTO only involved in major decisions. Teams are operating against clear security standards, and you’ve partnered with IT and Ops to improve physical and workplace security across our NYC and PA offices so Whop feels like a safe place to work for employees and customers