Security Architecture Lead

RESPONSIBILITIES:

• Provide architectural oversight across product, platform, and internal systems, ensuring scalable, secure patterns that support WHOOP’s long-term growth.
• Advise InfoSec and IT on secure, scalable approaches for SIEM/logging pipelines, identity integrations, privileged access, SaaS integrations, and foundational security tooling.
• Define the target-state architecture for vulnerability management across product, cloud, and internal systems, transitioning from spreadsheets to integrated, automated workflows.
• Serve as the technical evaluator for high-risk vendors and integrations, validating architecture, controls, and data flows as part of the TPRA process.
• Map WHOOP’s architecture to frameworks required for future regulated or government-oriented verticals (i.e., NIST 800-53, AI governance standards, healthcare/biometric requirements) and help shape the roadmap toward readiness.
• Contribute to the design of scalable, secure patterns for AI usage across WHOOP, including MCP governance, LLM API integrations, and AI-enabled product features - with support from the security and engineering teams as you grow into this evolving space.
• Partner with Product Security and Engineering to provide secure design input for identity flows, API/WAF strategy, backend services, data paths, and new product features.
• Review threat models and design documents with Product Security and Engineering, identifying assumptions, systemic risks, and missing mitigations.
• Integrate security into engineering workflows through practical, reusable patterns and clear expectations.
• Produce clear, actionable architectural guidance and documentation used across engineering, product, and security.
• Act as a trusted advisor and mentor, raising the organization’s architectural maturity and security judgment.

QUALIFICATIONS:

• 7–10+ years in security architecture, product security, or senior security engineering roles supporting modern distributed systems.
• Strong understanding of secure system design, identity and access patterns, API and application security, and cloud-native architecture (AWS preferred).
• Experience reviewing and guiding threat models in real engineering environments.
• Interest or experience in securing AI/LLM integrations or developing standards for responsible AI usage; we will support growth in this area.
• Ability to influence and collaborate effectively across engineering, product, IT, and security.
• Familiarity with SOC 2, ISO 27001, GDPR, PCI, HIPAA-aligned security requirements, and NIST 800-53 or similar high-assurance control frameworks.
• Ability to translate regulatory and high-assurance control expectations into practical engineering patterns.
• Exceptional written and verbal communication, including design feedback and technical documentation.
• High integrity, sound judgment, and a pragmatic, solution-oriented mindset.