Xendit provides payment infrastructure across Southeast Asia, with a focus on Indonesia and the Philippines. We process payments, power marketplaces, disburse payroll and loans, provide KYC solutions, prevent fraud, and help businesses grow exponentially. We serve our customers by providing a suite of world-class APIs, eCommerce platform integrations, and easy to use applications for individual entrepreneurs, SMEs, and enterprises alike.

Our main focus is building the most advanced payment rails for Southeast Asia, with a clear goal in mind — to make payments across in SEA simple, secure and easy for everyone. We serve thousands of businesses ranging from SMEs to multinational enterprises, and process millions of transactions monthly. We’ve been growing rapidly since our inception in 2015, onboarding hundreds of new customers every month, and backed by global top-10 VCs. We’re proud to be featured on among the fastest growing companies by Y-Combinator.


Our vision is to build digital infrastructure for Southeast Asia, supporting customers from fast-growing startups, NGOs to multinational enterprises such as Traveloka, Lazada, Garuda Indonesia, Suzuki, and Ciputra. 

Your mission as part of the Xendit information security team is to discover the various security vulnerabilities in our environment and provide technical consultation on how to protect our business from these vulnerabilities exploitation.


  • Perform penetration test for mobile applications, API applications, web applications, network, endpoints and cloud infrastructure
  • Triage vulnerabilities findings to product engineers and help them understand the vulnerabilities
  • Be a security subject matter expert and answer security questions from product engineers
  • Improve security testing process to be more effective and efficient
  • Ensure we meet compliance requirements related to security testing
  • Proactively identify and reduce security risks
  • Do whatever it takes to make Xendit succeed


You may be a good fit if

  • You have a bachelor's degree in Computer Science. An equivalent combination of education and work experience may be taken into consideration in lieu of a degree
  • You have 2 - 4 years of relevant IT experience, with a minimum of 2-years hands-on as penetration tester or application security engineer
  • You are familiar with financial industry and the security risks associated with it
  • You are familiar with common security controls and security flaws for modern mobile application, web applications, APIs and cloud infrastructure
  • You understand the OWASP testing methodology and have knowledge of penetration testing tools
  • You think like an attacker but humble enough to help developers understand about risk and mitigation control of a vulnerability
  • You have exceptional verbal and written communication skills in English
  • Bonus point if you are 
    • OSCP/OSCE certified
    • You know security testing requirements of common security regulations such as PCI DSS and ISO27001
What we care about
  • Solve for the customer first: You build what customers want. You think about what is right for customers, not what is easiest for you
  • Demonstrate mastery of honey badgery: You make ambitious goals. Then execute…no matter what stands in the way. When knocked down, you get up
  • Take on challenges willingly and can be trusted to execute: You can be trusted to get things done right the first time quickly. You hit your deadlines
  • You’re like us: You smile a lot, think work is fun and don’t take yourself too seriously. You measure yourself against the best and believe feedback is the breakfast of champions. You follow the golden rule.
  • You’re remarkable: People naturally talk about how awesome you are. If we can’t find someone who raves about you then it’s unlikely we will too.

Apply for this Job

* Required