At Upstox, we're building the future of investing — simple, powerful, and for everyone. We're one of India's fastest-growing fintech platforms, backed by the best in the business, including Mr. Ratan Tata and Tiger Global, and on a mission to make wealth creation accessible to every Indian. From first-time investors to seasoned traders, millions trust us to power their financial journeys. We're not just moving fast — we're moving with purpose. If you thrive in a high-energy, high-impact environment, you're in the right place.
The Role:
As a Security Engineering Intern (AppSec), you will be embedded in the application security team at Upstox, working hands-on to identify, assess, and help remediate security vulnerabilities across our web, mobile, and API surfaces. This is not a bug-bounty role — we're looking for an engineer who can deeply understand application flows, reason about risk, and contribute meaningfully to secure product development. You will work closely with engineering and product teams to build security into the SDLC, participate in architecture reviews and threat modelling, and help triage and manage our bug bounty program. Beyond testing, you will also contribute to security automation initiatives and internal tool development projects — writing scripts and building utilities that scale our security capabilities and reduce manual effort across the team.
We are looking for individuals who are self-driven, quick starters with a strong ownership mindset.
What You'll Own
Your role will involve:
Perform security testing across Web, Mobile, and API surfaces — identify
Vulnerabilities, Understand Application Flows End-to-end, And Recommend Effective
mitigations.
Participate in security architecture reviews and threat modelling sessions alongside engineering and product teams.
Triage and manage vulnerabilities reported through the bug bounty program —
assess impact, validate findings, and coordinate remediation with engineering teams
Write and maintain automation scripts (Python/Golang) to scale security testing and integrate security checks into CI/CD pipelines.
Review AWS configurations and cloud infrastructure for common misconfigurations and security gaps.
Evaluate the security posture of microservices and containerized environments
(Docker, Kubernetes).
Collaborate with developers to ensure secure implementation of authentication and authorisation mechanisms (OAuth, SAML, OIDC).
Stay current on emerging security threats, including AI-related security issues, and
help assess their relevance to Upstox's product and infrastructure.
Contribute to internal security tooling, documentation, and knowledge-sharing within the organisation.
Who You Are
Currently pursuing or completing a Bachelor's/Master's degree in Computer Science,
Information Technology, or a related field, with graduation in 2026.
Solid understanding of web application, mobile application, and API security
fundamentals, including OWASP Top 10 for Web, Mobile, and API.
Hands-on experience performing security testing across web, mobile, and API
surfaces — not just finding bugs, but understanding the full application flow
Familiarity with AWS and awareness of common cloud misconfigurations (e.g.,
exposed S3 buckets, over-permissive IAM roles, insecure security groups)
Comfortable writing automation scripts in Python or Golang to support security
testing and tooling
Good understanding of authentication and authorisation protocols — OAuth 2.0,
SAML, And OIDC — And Their Common Vulnerabilities.
Basic understanding of CI/CD pipelines, containerization (Docker, Kubernetes), and
microservices architecture from a security perspective.
Basic familiarity with common security issues in AI/ML systems (e.g., prompt
injection, model data leakage, adversarial inputs)
Strong ability to understand and articulate mitigation strategies, not just identify
Vulnerabilities — We Hire Engineers, Not Bug Hunters
Curious, self-driven, and eager to learn — able to operate with autonomy in a
fast-paced environment.
Good-to-haves:
Red teaming experience is a strong plus.
Security certifications such as OSCP, GWAPT, CEH, or equivalent are a bonus. We
Strongly Value Skills Over Certifications.
Prior experience in fintech or financial services security is an advantage
Why This Role Rocks
At Upstox, security is not an afterthought — it's core to everything we build. You'll be part of a team that sits at the intersection of security and engineering, directly influencing how millions of users experience safe, reliable financial services. This isn't a role where you shadow people or run checklists — you'll own real work from day one: testing production systems, contributing to threat modelling sessions, triaging live bug bounty reports, building security tooling, and writing automation that has actual impact. You'll be immersed in a high-scale, cloud-native fintech environment — microservices, modern auth protocols, containerized infrastructure, and an evolving AI footprint. If you're someone who wants to think like an attacker, build like an engineer, and grow fast — this is the right place to start.
By applying for this position, you acknowledge that you have reviewed our Prospective Employee Privacy Notice, which outlines how Upstox collects, uses, and protects your Personal Information (PI). I accept Upstox's Prospective Employee Privacy Notice. Upstox is an Equal Opportunity Employer; all qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, veteran status, or other characteristics.
