Senior Application Security Engineer

Why should you join dLocal? dLocal enables the biggest companies in the world to collect payments in 40 countries in emerging markets. Global brands rely on us to increase conversion rates and simplify payment expansion effortlessly. As both a payments processor and a merchant of record where we operate, we make it possible for our merchants to make inroads into the world's fastest-growing, emerging markets. 
By joining us you will be a part of an amazing global team that makes it all happen, in a flexible, remote-first dynamic culture with travel, health and learning benefits, among others. Being a part of dLocal means working with 1000+ teammates from 30+ different nationalities and developing an international career that impacts millions of people's daily lives. We are builders, we never run from a challenge, we are customer-centric, and if this sounds like you, we know you will thrive in our team.
About Us & The Role:
We're not building a traditional security team. We are a lean, forward-thinking organization that rapidly adopts the latest disruptive innovations to stay ahead of the curve. We believe the future of defense is smart, efficient, and scaled, and we're leveraging AI agents and modern platforms to build it (e.g., AI-assisted code analysis, GenAI-driven auto-patching, and advanced runtime/code correlation).
We are looking for a hands-on Application Security Engineer who is a builder and a pragmatist at heart. This isn't just a "scanner-pusher" or "ticket-filer" role; it's a "full-stack" security engineering position. You'll be a hands-on security partner, a developer's trusted ally, and a code-level expert, embedding security into our entire S-SDLC.
In our environment, a small, senior team means massive impact. You won't just find vulnerabilities; you'll help build the secure-by-default libraries, CI/CD guardrails, and AI-assisted tooling (like GenAI-powered auto-patching suggestions) that prevents them at scale. You'll also be a key voice in securing our next-generation services, including our use of LLMs and generative AI. What will I be doing?

• Implement a software assurance model designed to address security defects early in the delivery pipeline
• Perform security design reviews for new features and product releases
• Perform code reviews and advise developers on remediation techniques
• Design controls to detect and respond to common attacks on our platform
• Tech talks in high technical level to engineers
• Triage and respond to external inquiries around security vulnerabilities
• Facilitate internal training on various security topics to raise awareness and interest
• Build & Drive the S-SDLC: Build and drive a modern software assurance model, embedding security into the entire S-SDLC from day one, from design to deployment
• Partner on Secure Design: Partner with engineering teams to conduct security design reviews and threat models (STRIDE, etc.) for new features, microservices, and platforms
• Be a Hands-On Code Expert: Perform hands-on, code-level security reviews (Java, Go, Python, NodeJS) and provide pragmatic remediation guidance that empowers developers
• Secure Modern Applications: Design and help implement controls to detect and respond to modern application attacks (OWASP Top 10, API, LLM), leveraging advanced combinations of runtime signals and code-level analysis in partnership with our D&R and Platform teams
• Be a Security Champion: Be a security enabler for all of engineering. Lead internal training, tech talks, and create documentation that makes secure coding the easy path
• ASPM: Own and maintain the governance layer of the ASPM program, including workflow definitions, approval processes, risk classification models, and control validation.
• Manage Vulnerabilities Intelligently: Triage, validate, and prioritize findings from our bug bounty program, external disclosures, and automated tooling (SAST/SCA/DAST).

What You Bring:

• A "Builder-Partner" Mindset: You're an engineer at heart. You have strong proficiency in at least one language (Java, Go, Python, NodeJS) and can "speak developer" fluently.
• Proven AppSec Experience: 5+ years of hands-on Application Security experience, with a track record of building and scaling a software assurance program.
• Code-Level Expertise: You can manually find, validate, and help fix complex security flaws in code and APIs. You are not just a tool-runner.
• Deep Knowledge of Modern Threats: You're an expert in the OWASP Top 10s (Web, API, LLM), threat modeling (STRIDE), and secure design principles for cloud-native microservices.
• S-SDLC Tooling Fluency: You've implemented and managed tools like Burp Suite, SAST, DAST, and SCA within a modern CI/CD pipeline (e.g., GitHub Actions).
• Curiosity for the Future: You have experience or a strong, demonstrable interest in securing LLMs and generative AI applications, and you're excited about pioneering revolutionary concepts like AI agent-driven patching and advanced code/runtime analysis.
• A Force-Multiplier: You can lead and influence engineering teams, resolving complex security issues through partnership and technical credibility, not just authority.

Nice to Have:Certified in any related security development certifications like CSSLP, CASE or othersExposure to PCI-DSS, ISO27001 and/or SOC2 framework or any other relevant security standard will be valuedExtensive knowledge of security architectures, both monoliths and microservices, including how they are developed and operate at scaleHave had developed a personal or enterprise software/script with focus on security (exploitation of vulnerabilities, hardening automation, API integration for security) Why You'll Love It Here:

• This is a high-impact, high-ownership role. You'll join a small, senior team where everyone contributes end-to-end. We're building a modern, intelligent, and automated defense program from the ground up. If you're tired of legacy tools and "bolt-on" security, and you want to build the future of proactive, automated cyber defense from the code up, let's talk.

What do we offer?
Besides the tailored benefits we have for each country, dLocal will help you thrive and go that extra mile by offering you: - Remote work: work from anywhere or one of our offices around the globe* - Flexibility: we have flexible schedules and we are driven by performance. - Fintech industry: work in a dynamic and ever-evolving environment, with plenty to build and boost your creativity. - Referral bonus program: our internal talents are the best recruiters - refer someone ideal for a role and get rewarded. - Learning & development: get access to a Premium Coursera subscription. - Language classes: we provide free English, Spanish, or Portuguese classes. - Social budget: you'll get a monthly budget to chill out with your team (in person or remotely) and deepen your connections - dLocal Houses: want to rent a house to spend one week anywhere in the world coworking with your team? We've got your back
*For people based in Montevideo (Uruguay) applying to non-IT roles, 55% monthly attendance to the office is required

What happens after you apply? Our Talent Acquisition team is invested in creating the best candidate experience possible, so don't worry, you will definitely hear from us. We will review your CV and keep you posted by email at every step of the process
Also, you can check out our webpage, Linkedin, Instagram, and Youtube for more about dLocal We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.

---