Founding Product Security Engineer

Arena is the platform for evaluating how AI models perform in the real world. Founded by researchers from UC Berkeley's SkyLab, we're on a mission to measure and advance the frontier of AI for real-world use, and to build the foundation for everyone to understand, shape, and benefit from it.

Tens of millions of people use Arena each month to evaluate how frontier systems handle the work they actually do. The preferences they share power the most transparent, rigorous, and human-centered evaluations in AI. Leading AI labs, enterprises, and independent researchers rely on our work and open datasets to understand how models behave in real workflows: agentic coding, creative generation, professional productivity, and beyond. We go beyond leaderboards and decompose what human experience reveals about AI, so models advance toward the work people actually do.

We're a team of researchers, academics, builders, and creatives from UC Berkeley, Google, Stanford, and DeepMind. We seek truth, move fast, and value craftsmanship, curiosity, and impact over hierarchy. We're building a company where thoughtful, curious people from all backgrounds can do their best work together, in an office culture that radiates excellence, energy, and focus.

Arena Intelligence is seeking a Founding Product Security Engineer to lead the strategy, design, and hands-on implementation of the systems that protect Arena from attackers and keep our platform trustworthy as we scale. You'll work across product, infrastructure, and data pipelines to proactively identify risks, embed security into core features, and build the platform primitives — identity, session, behavioral signals, secure APIs, model-inference-path controls — that every other team at Arena builds on top of.

This is a builder role. You will not only set technical direction but also write the code, build the tools, and design the frameworks that make security part of our product's DNA. Your work will directly influence how the world's top AI labs, developers, and millions of users experience Arena, ensuring we remain resilient against real-world attacks and evolving threats.

• Own the product security vision for Arena, ensuring security and trust are core to every stage of our product lifecycle

• Design and implement the identity, authentication, authorization, and account-lifecycle systems that protect Arena against credential stuffing, account takeover, and API-key compromise

• Secure the model inference path end-to-end — provider credential handling, API gateway, rate limiting, quota enforcement, and protections against secret and prompt exfiltration

• Lead threat modeling and security architecture reviews for new and existing product features

• Collaborate with infrastructure and product engineering to design secure APIs, data flows, and identity systems that scale

• Improve developer velocity by creating secure-by-default frameworks, libraries, and tooling for internal teams

• Apply adversarial thinking to continuously test and evolve platform defenses

• Partner with incident response to quickly assess, contain, and remediate security events, and lead deep postmortems to improve defenses

• Stay ahead of the curve by monitoring emerging attack techniques and applying cutting-edge security research to our platform

• Mentor engineers across the company on secure coding practices, architecture trade-offs, and operational security

• 6+ years of experience in software engineering or security engineering, including staff-level scope in securing large-scale, user-facing platforms

• Strong experience with threat modeling, secure architecture design, and risk assessment

• Hands-on experience building security features into production systems at scale (millions of DAU / billions of requests)

• Deep knowledge of authentication, authorization, and identity systems, including session management and credential-abuse resistance

• Strong knowledge of distributed systems security, API security, and secure data-pipeline design

• Proficiency in backend development (Node.js, TypeScript, Python, or Go) and willingness to work across the stack when needed

• Excellent communication skills, able to build alignment across engineering, product, and leadership teams

• Experience securing AI/ML inference paths, API gateways, or high-volume public APIs

• Experience building behavioral-signal or fingerprinting platforms used by trust & safety or abuse teams

• Contributions to open-source security tools or research

• Background in securing real-time, interactive platforms at scale

• Experience leading security incident response end-to-end, including blameless postmortems at a company with meaningful external exposure