Job Specifications
NYC or Palo Alto preferred, open to remote (US, CA). English-first communicator required — your writing goes directly to vendors, auditors, and customers without review.
About Whop
Whop is the ultimate virtual market that lets people earn money by starting shops and creating content. We deliver $2.5B per year in income to people across the globe and have more than 5M monthly users.
About The Role
Whop is hiring our first dedicated security hire. You will work closely with our CTO to uplevel the team’s security posture.
This role is responsible for owning all security outcomes: infrastructure, compliance, external programs, and internal security. You'll drive execution and hold an extremely high bar for our security posture. We are looking for someone highly technical – an engineer first. The ideal candidate is a backend/infra engineer who evolved into security — you owned security at a startup because no one else would.
We're mid-SOC2 with a handful of vendors supporting our IT and Security. You'll inherit these relationships and make them yours, and work across every internal team to drive execution. You'll work closely with the CTO, head of legal, chief of staff, and head of ops.
This is a hands-on role. We are looking for a technical individual contributor to independently build these programs from scratch.
Scope
Own SOC2 and data privacy compliance (audits, GDPR, CCPA)
Own infrastructure security (AWS, Vercel, Cloudflare, PlanetScale - secrets, access controls, monitoring)
Own security incident response (detection, triage, remediation, post-mortems)
Own external security programs (bug bounty, pen tests, threat monitoring)
Own internal security (IT vendor, device security, office security, training)
First line of escalation for all security issues
What We’re Looking For
Highly technical — understands backend systems, infra, APIs, how things break. Can actually fix issues, not just identify them
Extremely organized, high attention to detail
High agency, scrappy, and urgent
Extremely clear communicator - written and verbal
Paranoid in the right way - thinks like an attacker to protect us
Willing to push back, but trusted enough that people listen
Highly available and responsive
Always learning, loves to teach
Builds systems that make you redundant over time
5+ years in security, has owned a program before
Low-ego - cares about outcomes, not credit
Uses modern tools (AI agents), and stays current on threat landscape
Constantly monitors and adjusts what you ship
Series A/B or high-growth startup experience preferred
Your First 90 Days Will Look Like The Following
Within 30 days, you’ve audited our current security posture, met all stakeholders, and fully own the SOC 2 process and IT/security vendor relationships
Within 60 days, you’ve taken Whop’s existing SOC 2 effort across the finish line (or are in final audit stages). Core infrastructure security is locked down, vendors are executing, and policies, runbooks, and incident response procedures are documented and in use
Within 90 days, our external security program is live (bug bounty, pen tests, threat monitoring). You’re running security autonomously day-to-day, with the CTO only involved in major decisions. Teams are operating against clear security standards, and you’ve partnered with IT and Ops to improve physical and workplace security across our NYC and PA offices so Whop feels like a safe place to work for employees and customers
About the Company
Whop is building a platform to service the internet economy. Millions of people are building new products that they are selling guerrilla style on social media and on forums throughout the internet. Whop gives these sellers a sleek storefront that can accept payments, seamlessly deliver digital products, and attract new customers visiting our marketplace. We currently handle almost $1B+ in yearly payments with thousands of active merchants. To view our open roles, please visit https://careers.whop.com
Know more