Security Engineer

OpenRouter is the open AI routing and infrastructure layer that enterprises use to access, manage, and optimize the best large language models across providers—without lock-in, capacity constraints, or unnecessary cost. We power some of the most advanced AI teams in the world by giving them the flexibility to move fast, scale confidently, and stay future-proof as models evolve.

As enterprise adoption of AI accelerates, OpenRouter sits at the center of how organizations operationalize LLMs across research, product, and production workloads.

We're hiring our first Security Engineer to own the safety of our systems, infrastructure, applications, and data. You'll build out the security engineering function from the ground up — implementing programs, build automated tooling, shipping fixes, and driving remediation across the stack that powers millions of API requests daily. This is a hands-on engineering role, not a paperwork role: compliance and IT are owned separately so you can focus on security work. You'll partner with engineering and senior leadership, set the bar for how we secure an AI gateway at this scale, and influence how we protect our customers and their data.

• →

  Own application and cloud infrastructure security across Cloudflare, GCP, and Vercel, including our edge workers, data stores, and the routing path that handles every request.

• →

  Stand up vulnerability scanning (across our codebase and cloud infrastructure), triage findings, and drive remediation in partnership with engineering teams.

• →

  Investigating, triaging and remediating responsible disclosure vulnerabilities that come through our bug bounty programs.

• →

  Lead threat modeling for new product surfaces - the API, SDKs, dashboards, and agentic workloads - and make sure security is part of the design from the start.

• →

  Build out incident response and disaster recovery, including runbooks, tabletop exercises, and on-call expectations as the company scales.

• →

  Partner with our IT and compliance lead on frameworks such as SOC 2, HIPAA, GDPR, CCPA/CPRA, ISO 27001, ISO 277001, and ISO 42001 contributing the engineering pieces required to support those programs.

• 7+ years in security engineering, with deep expertise in at least one of application security or cloud security, and working knowledge of the rest.

• Strong cloud security experience operating in GCP, AWS, or similar - and comfort securing edge platforms like Cloudflare.

• Hands-on experience as the first or earliest security hire at a high-growth startup, or a clear track record of building security programs from scratch.

• Strong SIEM and vulnerability scanner experience (e.g. Splunk, Elastic, Panther, Qualys, Tenable, Rapid7).

• AI-forward in your workflow - comfortable using AI coding agents to ship security tooling, automations, and fixes quickly.

• Pragmatic and business-oriented; you can balance security rigor with velocity.

• High agency and a bias toward action - you don't wait for a program to exist before you start protecting the company.

• Strong communicator who can explain risk and tradeoffs clearly to engineers, executives, and customers.

• Experience securing AI infrastructure, inference platforms, or LLM-powered products.

• Familiarity with AI-specific threat models - prompt injection, model abuse, agent misuse, key exfiltration, and similar emerging attack surfaces.

• Automation and scripting in Python, TypeScript, or similar.
  
  The base salary for this full-time position in the United States, spanning multiple internal levels depending on qualifications, ranges between $230,000 to $310,000 plus benefits & equity. Compensation for internationally based candidates will vary to reflect local market conditions.

  If you don't think you meet all of the criteria below but still are interested in the job, please apply. Nobody checks every box, and we're looking for someone who is excited to join the team.