Wyllo is a CX-first, end-to-end risk intelligence platform that helps ecommerce merchants manage fraud, policy abuse, and customer experience across the entire commerce lifecycle. By combining identity signals with behavioral intelligence, Wyllo enables merchants to better understand shopper intent and make smarter decisions across checkout, returns, refunds, and customer support. Wyllo works with leading ecommerce brands and integrates directly into the platforms where merchants manage orders and customer interactions. Learn more at www.wyllo.ai

About the Role

We're hiring a Senior DevSecOps Engineer to own the security posture of a production platform that processes millions of real-time transactions for thousands of merchants. You'll report to the Director of DevOps & SecOps and work alongside a small, high-trust infrastructure team.

This is a senior individual contributor role with real scope. You'll drive our PCI DSS 4.0 program end to end — not only the evidence collection, but the architectural decisions that determine what evidence we need to collect in the first place. You'll own our SOC 2 continuous monitoring. You'll decide how security gets enforced in our CI/CD pipelines in a way that keeps developers moving rather than routing around you. Because we handle payment data in a fraud-prevention context, the security work here has an unusually short path to business risk — weak controls don't just invite auditors, they put customer trust on the line.

You'll own the full container security architecture and make the design decisions that shape how we scan at build time and protect workloads at runtime. You'll push compliance automation until evidence is a byproduct of how our systems run, not a quarterly project. You'll evaluate security tooling for this environment and bring a point of view on what we should commit to next. And you'd be a primary voice in how we interpret and meet PCI DSS 4.0's newer requirements — the ones that demand engineering judgment, not just checkbox compliance.

You will

Our stack is primarily AWS, heavily Terraform-managed, with workloads running across a mix of compute services and a container orchestration migration underway. We run multiple CI/CD systems, centralized secrets management, and modern observability and security monitoring across the platform. We're opinionated about Infrastructure-as-Code; we're less opinionated about which specific tools solve a given problem, and we expect the person in this role to bring a point of view on what we should standardize on next.

This is a team that takes security seriously and has built real infrastructure around it — you'd be joining to raise the bar further, not to start from scratch. PCI DSS 4.0 introduces requirements that demand engineering judgment, not just checkbox compliance, and we're looking for someone who can help us interpret what those mean for our specific environment.

You have

You've spent six or more years securing production cloud environments — the specifics matter less to us than the trajectory: did the problems get harder, did your ownership grow, and can you point to outcomes that mattered? You're fluent in Terraform and AWS at the level where IAM policy decisions come from experience, not from re-reading the docs each time — the kind of fluency you get from having cleaned up a bad VPC peering mistake, not from passing a certification exam. You write Python and Bash well enough that when you see a manual process, your instinct is to automate it before the third time you do it. You've led at least one compliance implementation — PCI, SOC 2, HITRUST, FedRAMP; the shape of the work matters more than the specific framework — and you came out of it knowing which controls actually reduced risk in your environment and which ones existed only to satisfy an auditor who would never check twice.

We care a lot about how you think about the engineering relationship. Security people who treat developers as adversaries don't fit here. When a developer routes around a security control here, your first question should be what made the control annoying enough to dodge — not how to lock the bypass down harder. Good communication is a real part of the job — you'll spend meaningful time with auditors, with leadership, and with engineers who don't think about security full-time, and moving between those audiences is work we need you to do well.

Experience in payments, fraud prevention, or any regulated-data domain is a plus. Certifications are not required; we evaluate on what you've built and how you reason about trade-offs.

Working at Wyllo

We’re a high-performing team that is passionate about fraud and a community driven by values that shape everything we do. We seek passionate and dedicated individuals who align with our core principles; Integrity, Pride, Humility and Impact.

Integrity: We do the right thing, even when it’s tough, and even if no one sees it. We always consider the customer’s best interest in every decision we make.
Pride: We know that the work we do is important, and we take great pride in doing it well. We show up every day with the best intentions, ready to deliver superb outcomes for our team, our customers, and ourselves.
Humility: We leave our egos at the door, approaching problems as a team, with openness and collaboration. We’re willing to be wrong in order to get things right.
Impact: We are results-oriented, we take ownership, and we hold ourselves accountable to get things done and deliver results.

If you are excited to collaborate in a fast-paced, purpose-driven environment where your contributions truly matter, we’d love to have you join us!

Equal Employment Opportunity

Wyllo LLC provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability or genetics, sexual orientation, political affiliation, military veteran status, domestic violence victim status, or any other protected characteristic under applicable state and local laws governing nondiscrimination in employment in every location in which the company has facilities. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.

Ready to apply?

Powered by

First name *

Last name *

Email *

LinkedIn URL

Resume *

Click to upload or drag and drop here

Cover letter

Click to upload or drag and drop here

Salary Expectations *

Please share salary expectations.