At R2, we believe that small and medium businesses are the productive engine of society. Small and medium businesses (SMBs) make up over 90% of companies in Latin America, yet they face a trillion-dollar credit gap. Our mission is to unlock SMBs’ potential by providing financial solutions tailored to their needs. We are reimagining the financial infrastructure of Latin America, where SMBs’ financial needs are met without ever having to go to a bank.
R2 enables platforms across Latin America to embed financial services that SMBs can leverage, starting with revenue-based financing. We are a high-performing, close-knit team with talent from organizations such as Google, Amazon, Nubank, Uber, Capital One, Mercado Libre, Globant, and J.P. Morgan.
We are entering a new phase of growth following a strategic investment from Ant International, focused on rapidly expanding our partner footprint, strengthening our credit and underwriting capabilities, and scaling operations across multiple markets. As part of this growth journey, eligible team members have the opportunity to participate in R2’s Phantom Share Program, a performance-based incentive designed to align our team with the company’s long-term success and value creation. We believe in building a culture of ownership, where those who help create value share meaningfully in it.
As an Application Security Engineer, you will ensure the operational efficiency of our IT systems and support the security posture of a growing fintech company. You’ll report to the Director of Infrastructure and work closely with our DevOps and Software Development teams. We’re looking for someone proactive, detail-oriented, and passionate about technology.
What You'll Do:
- Conduct secure code reviews for Go-based microservices and identify vulnerabilities early in the development cycle.
- Perform security testing of APIs, web applications, and backend services before they reach production.
- Establish and evolve secure coding standards, guardrails, and reusable patterns for engineering teams.
- Lead threat modeling sessions with engineering and product teams at the design phase of new features and services.
- Define and enforce security gates in CI/CD pipelines: SAST, DAST, SCA, and secrets scanning with blocking criteria for high-severity findings.
- Own the DAST process end-to-end: tool selection, scheduling, escalation workflows, and remediation tracking.
- Integrate container image scanning and infrastructure-as-code (IaC) security checks into deployment pipelines.
- Support hardening initiatives across Kubernetes, ingress, and workloads.
- Contribute to the security observability program by defining and tuning alerting rules for authentication anomalies and suspicious API usage.
- Drive the adoption of secure development across engineering teams by providing guidance, training, and hands-on support.
- Build and maintain security documentation, runbooks, and standards
- Triage, prioritize, and track remediation of security findings across the platform.
- Coordinate external penetration tests and work with vendors on scope, debriefs, and remediation plans.
- Sit with product and business teams to understand risk from a product perspective.
- Ensure there are no open high-severity findings older than 30 days.
Who You Are:
- 3–5 years of experience in application security, product security, or a similar role.
- Hands-on experience with SAST/DAST tools (Snyk, Checkmarx, OWASP ZAP, Burp Suite, or equivalent).
- Solid knowledge of OWASP Top 10 for web and APIs and real-world exploitability assessment
- Experience reviewing code in Go or similar compiled languages.
- Familiarity with Kubernetes, containers, and cloud-native architectures.
- Strong written and verbal communication, able to explain security risks clearly to both engineers and non-technical stakeholders.
- Self-driven and comfortable working with autonomy in a fast-paced environment.
- English proficiency — written and spoken (required).
- Certifications such as OSCP, OSWE, CEH or eWPT.
- Experience with Istio or service mesh security.
- Familiarity with compliance frameworks such as ISO 27001, GDPR, or SOC 2.
- Threat modeling experience (STRIDE, PASTA, or similar).
- Experience in fintech or regulated environments.
What We Offer:
- The chance to join a high-impact, mission-driven fintech with regional scale
- Cross-functional collaboration with exceptional teams across Latin America
- Equipment provided by R2
- Training budget for professional development
- Career growth within R2
Location: São Paulo, Buenos Aires or Santiago.