Our mission is to increase the success rate of small businesses. Traditional banking has been a growth limiter rather than a growth enabler for business owners, and we’re changing that. Relay is the all-in-one, collaborative money management platform. We’re building for employer SMBs and their finance function, internal and external, and are focused on delivering a human-centric customer experience. Ultimately, we help SMBs be ‘on the money'.

We’re looking for a Senior Application Security Engineer who thrives on autonomy, curiosity, and impact. You’ll work across our stack (from TypeScript and Node.js, to Postgres and AWS cloud infrastructure) ensuring our applications are secure from design to deployment. You’ll blend technical depth with systems thinking, working across teams to identify risks, build guardrails, and evolve our security practices as Relay scales.

This isn’t a “ticket queue” role. Join AppSec to make Relay the safest financial platform for SMBs. You’ll eliminate vulnerabilities before they ship, tame supply-chain risk, and raise the bar on identity, AI safety, and runtime assurance. As part of the platform team you will work closely with our Site Reliability Engineers to ensure that all of our production workloads are safe and secure.

What You’ll Be Doing

• Shift-left guardrails. Build and maintain secure-by-default libraries and CI checks (SAST/DAST/Secrets/SCA, threat-model gates) so PRs pass AppSec checks and Critical issues are not merged to the codebase. You will partner with product teams to make sure application security controls are in place and secure product standards are met before products ship to customers.
• Identity & account protection. Engage stakeholders and business partners to harden authentication (e.g., passkeys/WebAuthn), step-up flows, and session controls; drive measurable reduction is security violations.
• Software supply chain. Enforce provenance: SBOM on every build, dependency pinning/owner verification, private registries/proxies, and runtime SCA detections.
• SDLC & IDE integration. Embed security into CI/CD (GitHub Actions, pipelines) across JS/TS/Python/More services; Maintain secure coding capabilities with IDE integration for all delivery teams.
• Cloud & infra security. Partner with SRE’s to enable infrastructure security and embed security features into core applications and workflows.
• AI security. Guide features through AI risk reviews; cover OWASP Top 10 for LLMs; add safeguards for prompt injection, data leakage, and excessive agency; govern AI-generated code in CI.
• Threat intel & offensive testing. Track emerging attacks (esp. npm and fintech), run targeted black-box tests, support red/purple team exercises, and publish actionable playbooks.
• VDP & bug bounty. Triage researcher reports, reproduce/assess impact, coordinate fixes with owners, and close the loop with clear comms and durable controls.
• Tooling: You have experience working with security tooling and monitoring / alerting systems.
• Evangelize security. Mentor team members on secure patterns; write concise guidance and runbooks that accelerate delivery rather than slow it down.

Who You Are

• Experience: You have 5+ years of experience in Application Security, Product Security, Penetration Testing, or similar roles.
• Software Development: you are an expert in JavaScript, TypeScript, and Python, you can review PRs, contribute code, and create secure libraries in these languages.
• Security fundamentals: Deep understanding of OWASP Top 10 and real-world exploitation/mitigation techniques.
  Enablement focused: you strive to accelerate development teams and value guardrails over gates.
• Clear communicator & collaborator: you are a collaborator who loves to partner with developers to bring value to customers in the most secure way possible.
• Ownership: You have a sense of responsibility towards problems and take ownership over them making sure nothing is forgotten and stakeholders stay informed.
• Mentorship: You are comfortable mentoring team members and members of other teams on security best practices.

Bonus Points

• Implemented passkeys/WebAuthn or phishing-resistant MFA at scale.
• Experience with Socket.dev, Semgrep, Datadog AppSec, GitHub Advanced Security, ZAP/IAST, Burp Suite.
• Built private npm proxies, artifact repos, and SLSA-aligned pipelines.
• Led or contributed to red/purple team exercises and game days.
• Fintech/regulatory experience; Experience working in compliant environments such as SoC2
• Securing AI workflows and products.
• You’ve joined a company at its early stages and have seen it through scale
• Show us your home lab!

Our Commitment to You

• Competitive salary and meaningful equity: Relay employees are Relay owners, complete with equity and a competitive salary.
• Comprehensive health benefits: enjoy full health benefits from day one. We offer flexible Health or Wellness Spending Accounts and medical, dental, and vision coverage for you and your dependents.
• Flexible vacation and time off: every team member starts with 15 vacation days and 5 flex days to use as needed, plus an extra week of office closure during the end-of-year holidays so you can take time off to recharge and come back better for our customers.
• Parental leave with top-up: we offer 12 weeks off with a 100% salary top-up for all full-time employees, regardless of location, and accessible for all parents: birthing, non-birthing, and adoptive.
• Hybrid work environment: we value meaningful collaboration and connection at our Toronto office twice a week, with lunch, snacks, and beverages on us.
• Dog-friendly space: can dogs really make you happy and healthy? We don’t know for sure, but since we don’t want to chance it, our office is 100% floof-friendly.
• Personal and professional growth: through ongoing feedback, mentorship, and coaching, work with peers and leaders who are invested in your growth and success.
• Top-tier equipment: as a Mac-first company, our Toronto offices have everything you need to produce your best work comfortably, from multiple screens to ergonomic seating.
• Social connection: we believe in celebrating our wins with two annual company-wide get-togethers, quarterly team events, happy hours, and special events and networking opportunities with industry leaders.

The Interview Process

• Stage 1: A 45-minute Google Meets video call with a member of our Talent team
• Stage 2: A 60-minute Google Meets video call with the hiring manager going through some technical questions.
• Stage 3: A 60-minute secure code review exercise with the hiring manager, and another senior member of our AppSec team
• Stage 4: A 45-minute in-person interview with a member of our leadership team
• Stage 5: A take-home assignment forming the basis for a 60-minute Google Meets video call with two members of our AppSec team to review the assessment

Why Relay Might Be the Perfect Fit For You

• You push relentlessly for reinvention: You’re built to constantly ask, “How can this be better?” Change excites you and you drive it.
• You crave autonomy: We trust our team with big challenges and the freedom to solve them. If you’re someone who takes initiative, is comfortable taking risks, and seeks input when needed, you’ll find the freedom here empowering.
• You own your work: You take pride in your work, follow through on commitments, and feel a deep sense of responsibility for outcomes, not just tasks.
• You treat comfort as a red flag: You seek growth. When things feel too comfortable, you lean into change. You’re excited about stepping into the unknown and navigating new terrain to create something better alongside your team.
• You care about impact, not noise: You care deeply about the substance of your work. You measure success by results, not recognition and you let your work speak for itself.
• You’re energized by complexity and ambiguity: You enjoy tackling problems that don’t come with a playbook. You’re comfortable building from scratch, iterating as you go, and collaborating to shape the best path forward.
• You seek out feedback: We value directness, clarity, and respect. We believe honesty fuels great work and career growth. You see feedback as a tool for learning and improvement, and you know that open, honest dialogue is key to achieving the best results — together.
• You’re here for more than a job: At Relay, everything we do is in service of our mission to help small businesses thrive. To drive impact and have purpose here, that mission must matter to you too.

Our Promise

We’re driving real change for small business owners, powered by truly remarkable people. At Relay, you’ll find the confidence to take chances, trust to take initiative, and the support you need to build a career you love. Here, we make sure every team member feels empowered to make big decisions, encourage to ask tough questions, and challenged to take risks that result in work we’re all proud of. We give you the baton–you run the Relay.

What’s Important to Us:

Research shows that women-identifying and other marginalized individuals often apply only if they meet 100% of the qualifications. But no one is a perfect match on paper. If this role excites you, we’d love to hear from you and figure out together if it’s a great fit.

At Relay, we believe that diversity is key to building high-performing teams, and creating an inclusive work environment is our priority. We are an equal opportunity employer and welcome people of diverse backgrounds, perspectives, and skills.

We will work with applicants to provide accommodations at any stage of the hiring process. If you require accommodations during the interview process, please email your Talent Partner, and we will work with you to meet your needs.