Security Engineer

About Nelo

Nelo is a leading consumer fintech and e-commerce platform in Mexico, with >$500MM in annualized GMV and >$75MM in annualized revenue. Our mission is to increase the buying power of consumers in Latin America, and we are doing so by building a modern alternative to credit cards. Nelo has raised over $40M of venture capital from investors including Homebrew, Two Sigma Ventures and Susa Ventures. Nelo has additionally raised a $100M asset credit facility from Victory Park Capital. Our lean team includes experienced leaders from top technology companies including Uber, Amazon, Rappi, and DiDi. We pride ourselves on our velocity, intellectual rigor, and efficiency. Nelo has offices in Mexico City and New York City.

About the role

Security has been part of how Nelo builds software from day one. As we scale, we are creating a dedicated Security Engineer role with broad ownership across application security, cloud infrastructure, and internal controls.

This is a hands-on role for someone who wants to define the security function rather than inherit it. You will decide where to invest, implement controls yourself, and balance risk against velocity in a fast-moving lending business. You will work directly with the CTO, the CEO, and engineering leadership.

This role is in-person at our Mexico City office in Condesa.

What you'll do

Build secure-by-default systems

Design and implement security guardrails across cloud infrastructure and developer workflows
Improve IAM, secrets management, endpoint management, and access controls across production systems
Harden AWS infrastructure using Terraform and policy-as-code
Increase observability for security-relevant events and anomalies

Treat security as an engineering problem

Write code, configs, and tooling to enforce controls
Replace manual reviews with automation wherever it makes sense
Make the secure path the default path for engineers

Run external security programs

Own penetration tests and the bug bounty program end-to-end
Triage findings, partner with engineers on fixes, and turn one-off issues into systemic improvements

Drive certifications and compliance

Take Nelo through SOC 2 Type 1 and Type 2
Build automated evidence collection so compliance does not become a recurring tax on the team

Raise the bar across engineering

Set the standard through your own implementations
Review designs and PRs with a security-first lens

Why you should apply

You have built security programs at a startup before and know the difference between security theater and controls that actually reduce risk. You can tell which one a given investment is.
You write code and ship infrastructure yourself. Terraform, Python, Go, whatever the job calls for. You do not hand off implementation to someone else and call it done.
You have deep AWS instincts. You know where the sharp edges are in IAM, how to read CloudTrail, when GuardDuty findings matter and when they are noise.
You have taken a company through SOC 2 or a comparable certification and you know how to run it without grinding engineering to a halt. Automated evidence collection is the baseline you build toward, not a stretch goal.
You are comfortable with AI tools as part of your daily workflow. You use Claude Code or similar to move faster, and you have opinions about where they belong in a security review and where they do not.
You can hold a strong security position and still ship product on time. You see velocity and security as the same problem, not opposing ones.

Why you should NOT apply

You want to manage a team of security engineers. There is no team to manage. You are the team, at least for the foreseeable future. If your value is in delegating, this role will not fit.
You see security as a gatekeeping function. The job is to make the secure path the easiest path, not to block PRs and write policy documents that nobody reads. If your instinct is to slow things down rather than redesign them, the engineering team will route around you.
You need a mature environment with established tooling and processes. Some of this exists. Most of it does not. You are building the function, not stepping into one.
You treat compliance as a separate workstream from engineering. SOC 2 evidence at Nelo will be collected by code, not by a GRC tool with a person filling out questionnaires. If that distinction is not natural to you, this will feel like the wrong job.
You think AI tools are a gimmick. Every team at Nelo uses AI in daily workflows. If you are skeptical of agentic coding tools or refuse to use them, you will be working against the grain of how engineering moves here.

How we work

~60 people across CDMX and New York. Lean, fast, opinionated about quality.
This role is based in Mexico City and is expected to be in-office given the proximity required with engineering and infrastructure work.
Every team at Nelo uses AI in daily workflows. Engineering is no exception.

Who you are

Required

Engineering background with substantial time spent on security in production environments
Strong hands-on experience with cloud security fundamentals, ideally on AWS
Comfortable building and modifying infrastructure with Terraform or equivalent IaC tooling
You ship code and own outcomes, not just recommendations

Strong signals

You have taken a company through SOC 2, ISO 27001, or a comparable certification
You have personally run a bug bounty program or managed external pentests
Depth in AWS security primitives such as GuardDuty, CloudTrail, IAM, VPC, KMS, and security groups
You use Claude Code or other agentic coding tools as part of your daily workflow

Interview process

Conversation with the hiring manager
Case study
On-site panel
Fast decision

Compensation and benefits

Competitive salary and meaningful equity
100% medical, dental, and vision coverage
Unlimited PTO and extended parental leave

Senior Security Engineer