Blockdaemon

Head of Compliance

Blockdaemon

3 days ago

## Head of Compliance We are looking for a seasoned and forward-thinking **Head of Compliance** to lead our compliance function at a pivotal moment for the web3 industry. Reporting to the Chief Legal Officer, you will be responsible for the company’s compliance strategy and programs. This is a senior individual contributor role for someone who thrives at the intersection of fast-moving regulation, emerging technology, and business growth. ### Your Impact * **Compliance Strategy & Programme Ownership:** Lead the company's compliance vision and multi-year roadmap. Build a scalable, risk-based programme that evolves with the business and the regulatory environment, and ensure compliance is embedded as a strategic enabler — not just a control function. * **Regulatory Strategy & Government Affairs:** Shape the company's regulatory positioning in the US and, where applicable, globally. Engage with regulators as needed. Monitor and assess the impact of key developments — such as the CLARITY Act, GENIUS Act, SEC/CFTC harmonisation efforts, and evolving DeFi guidance — and translate these into concrete business recommendations. Represent the company in industry working groups, trade associations, and policy discussions. * **Web3 & Digital Asset Compliance:** Lead compliance strategy across the company's core products and protocols, including token issuance and classification, stablecoin compliance, DeFi protocol risk, smart contract governance, on-chain transaction monitoring, and blockchain analytics. Advise on the regulatory treatment of digital assets under evolving SEC and CFTC frameworks, including securities vs. commodity determinations and tokenized asset requirements. * **Risk Management & Controls:** Own the enterprise compliance risk framework. Oversee AML/BSA, KYC/KYB, OFAC sanctions screening, transaction monitoring, and blockchain analytics programmes. Partner with teams within the company to embed controls into products and infrastructure — not just processes. * **Policy, Training & Culture:** Own the compliance policy lifecycle and oversee a targeted, role-based training programme. Champion an organisation-wide culture of integrity, using data and storytelling — not just mandates — to drive genuine behavioural change. ### Role Requirements * 10+ years of compliance experience, with significant time in digital assets, fintech, or financial services * Deep knowledge of the US digital asset regulatory landscape — including SEC, CFTC, FinCEN, OFAC, and state-level frameworks — and a strong view on where it's heading * Experience leading regulatory examinations, licensing processes, or enforcement matters directly * Proven track record of building compliance programmes in high-growth or ambiguous environments * Familiarity with blockchain technology, on-chain transaction monitoring tools (e.g. Chainalysis, TRM Labs), and DeFi risk vectors * Strong executive presence with the ability to advise executives, engage regulators, and influence across the business ### Compensation & Benefits The base salary range for this position is **$160,000 - $240,000 USD annually**. The final offer will be determined based on factors including your experience, skills, qualifications, geographic location, and internal equity considerations. In addition to base salary, this role includes equity compensation and a comprehensive benefits package. We offer competitive health cover, 401k, flexible paid time off, and other perks designed to support your wellbeing and professional growth. This position is remote and open to candidates located anywhere in the United States, with a preference for those on the East Coast. *Blockdaemon is committed to pay transparency and equal pay practices. We determine compensation based on role requirements, candidate qualifications, and market data—never on protected characteristics.* ### About Us **We Power the Blockchain economy.** **Blockdaemon** powers the blockchain economy with its suite of industry-leading infrastructure solutions. We are a globally established, ISO-27001 certified partner with extensive protocol coverage, offering technical depth, industry-leading SLAs, 70+ global points of presence through 10+ cloud and bare metal providers, and 24/7 support for an unmatched institutional-grade experience. We provide integrated business solutions to exchanges, custodians, crypto platforms, financial institutions, and developers using our end-to-end suite of blockchain tools, including dedicated nodes, APIs, staking, liquid staking, MPC tech, and more. Blockdaemon provides its customers with the confidence to quickly and easily scale without compromising security or compliance. We are a globally distributed team. Blockdaemon is an Equal Opportunity Employer. *When applying, mention the word **CANDYSHOP** to show you read the job post completely.*

DevOps Security Engineer

Blockdaemon

39 days ago

<p>We are looking for a hands-on DevOps Security Engineer who will help secure our posture throughout the software delivery lifecycle — from the first line of code to production deployment and beyond.</p><p>Our stack is complex. We ship frequently across multiple services running on containerized, cloud-native infrastructure managed entirely as code. Every release needs to be hardened before it reaches customers, and every pipeline needs to enforce that standard automatically. Your job is to make sure that happens — and to build the systems that make it repeatable, auditable, and fast.</p><p></p><h4><strong>Vulnerability Analysis &amp; Release Security</strong></h4><ul> <li><p>Conduct deep-dive vulnerability and security reviews of all software releases before they reach production. This includes manual code review of high-risk changes alongside automated scanning output triage.</p></li> <li><p>Own the pre-shipment security gate process: define pass/fail criteria, enforce them in CI/CD, and be the escalation point when a release is blocked on a security finding.</p></li> <li><p>Triage and classify vulnerabilities from SAST, DAST, SCA, and container scanning tools. Distinguish real risk from noise, prioritize remediation, and work directly with engineering teams to drive fixes — or write the patches yourself.</p></li> <li><p>Maintain and continuously improve a vulnerability management program with clear SLAs for remediation by severity.</p></li> </ul><h4><strong>Pipeline &amp; Automation Engineering</strong></h4><ul> <li><p>Own and continuously improve the automated security tooling already integrated into our CI/CD pipelines .This means tuning rule sets to reduce false positives, expanding coverage as the stack evolves, optimizing scan performance so pipelines stay fast, and ensuring engineers trust the results enough to act on them without escalation.</p></li> <li><p>Build and maintain custom security automation — policy-as-code enforcement, secrets detection, dependency vulnerability scanning, image signing and verification — using Python, Go, or Bash.</p></li> <li><p>Develop and operate security-focused pipeline stages: static analysis, software composition analysis, dynamic testing against staging environments, infrastructure-as-code validation, and container image scanning.</p></li> <li><p>Automate the boring parts. If a security fix can be scripted and applied at scale across repositories, you write that script.</p></li> </ul><h4><strong>Infrastructure &amp; Cloud Security</strong></h4><ul> <li><p>Audit the full infrastructure-as-code (IaC) stack — Terraform, CloudFormation, Helm charts, Kubernetes manifests — for misconfigurations, policy violations, and drift from security baselines.</p></li> <li><p>Define and enforce cloud security policies across AWS, Azure, or GCP environments using tools like Open Policy Agent (OPA), Checkov, tfsec, or equivalent.</p></li> <li><p>Harden container orchestration environments: RBAC policies, network policies, pod security standards, runtime threat detection, and supply chain integrity for container images.</p></li> <li><p>Collaborate with platform/infrastructure teams to ensure logging, monitoring, and alerting are sufficient for incident detection and forensic investigation.</p></li> </ul><h4><strong>Security Culture &amp; Shift-Left Enablement</strong></h4><ul> <li><p>Be the engineering team's security partner, not their bottleneck. Provide developers with self-service tooling, clear documentation, and fast feedback loops so they can catch and fix issues before code review.</p></li> <li><p>Build and maintain internal security guardrails: pre-commit hooks, IDE integrations, approved base images, hardened CI templates, and reusable secure-by-default modules.</p></li> <li><p>Run targeted threat modeling sessions for high-risk features and architectural changes.</p></li> <li><p>Contribute to internal security standards, runbooks, and incident response playbooks rooted in real-world scenarios from your own findings.</p></li> </ul><h4><strong>Role Requirements</strong></h4><ul> <li><p><strong>3–5+ years</strong> in a combined DevOps / Security Engineering / DevSecOps role where you were building and operating, not just recommending.</p></li> <li><p><strong>CI/CD pipeline engineering:</strong> Deep, hands-on experience with at least one of Jenkins, GitLab CI, or GitHub Actions — including writing custom plugins, shared libraries, or reusable workflow templates.</p></li> <li><p><strong>Security tooling integration:</strong> Production experience implementing and tuning SAST (e.g., SonarQube, Semgrep, CodeQL), DAST (e.g., OWASP ZAP, Burp Suite), and SCA (e.g., Snyk, Dependabot, Grype) tools within automated pipelines.</p></li> <li><p><strong>Cloud security:</strong> Proven ability to secure production workloads on at least one major cloud provider (AWS, Azure, or GCP). You understand IAM policies, network segmentation, encryption-at-rest/in-transit, and cloud-native security services at an implementation level — not just a whiteboard level.</p></li> <li><p><strong>Container &amp; orchestration security:</strong> Hands-on experience securing Docker and Kubernetes environments — image scanning, runtime security (Falco, Sysdig, or similar), admission controllers, network policies, and supply chain security (signing, SBOMs).</p></li> <li><p><strong>Infrastructure as Code:</strong> Proficiency with Terraform, CloudFormation, or Pulumi, combined with experience auditing IaC for security misconfigurations using policy-as-code frameworks (OPA/Rego, Sentinel, Checkov).</p></li> <li><p><strong>Scripting &amp; automation:</strong> Strong coding ability in Python, Go, or Bash — sufficient to build custom tooling, write security automation, and contribute patches to application code when needed.</p></li> <li><p><strong>Vulnerability management:</strong> Experience running or significantly contributing to a vulnerability management program — triage, SLA enforcement, risk-based prioritization, and metrics reporting.</p></li> <li><p><strong>Solid fundamentals:</strong> Strong understanding of OWASP Top 10, CWE/CVE ecosystems, secrets management (Vault, AWS Secrets Manager), TLS/mTLS, and common attack vectors against web applications and APIs.</p></li> </ul><h4><strong>Nice to have Skills</strong></h4><ul> <li><p>Experience with compliance-as-code frameworks and automating evidence collection for SOC 2, ISO 27001, FedRAMP, or PCI-DSS audits.</p></li> <li><p>Familiarity with eBPF-based security observability tools or kernel-level runtime security.</p></li> <li><p>Background in penetration testing or red team exercises, particularly against cloud-native infrastructure.</p></li> <li><p>Experience building or operating a software supply chain security program (SLSA framework, Sigstore/Cosign, in-toto attestations, SBOM generation and consumption).</p></li> <li><p>Knowledge of GitOps workflows (ArgoCD, Flux) and securing the GitOps delivery model.</p></li> <li><p>Contributions to open-source security tooling or published security research.</p></li> <li><p>Relevant certifications such as CKS (Certified Kubernetes Security Specialist), AWS Security Specialty, OSCP, or GIAC certifications — valued as evidence of depth, not as a checkbox.</p></li> </ul><p></p><p>This role is for someone who thinks in terms of attack surfaces and blast radius, who automates by instinct, and who measures their success by the security issues that never make it to production. If your idea of a good day is shipping a pipeline change that eliminates an entire class of vulnerability across every repo in the organization — we want to talk to you.</p><p><strong>About Us:</strong></p><p><br>We Power the Blockchain economy.</p><p><br>Blockdaemon powers the blockchain economy with its suite of industry-leading<br>infrastructure solutions. We are a globally established, ISO-27001 certified partner with extensive protocol coverage, offering technical depth, industry-leading SLAs, 70+ global points of presence through 10+ cloud and bare metal providers, and 24/7 support for an unmatched institutional-grade experience. We provide integrated business solutions to exchanges, custodians, crypto platforms, financial institutions, and developers using our end-to-end suite of blockchain tools, including dedicated nodes, APIs, staking, liquid staking, MPC tech, and more. Blockdaemon provides its customers with the confidence to quickly and easily scale without compromising security or compliance.</p><p><br>We are a globally distributed team.</p><p><br>Blockdaemon is an Equal Opportunity Employer.</p> When applying, mention the word CANDYSHOP to show you read the job post completely.