Head of Security

A Note from Shane, our CEO

The greatest mistake I ever made in my career was trying to convince people to join a startup. I’m not here to convince you.

In my early days, I oversold. I tried to make the journey look easier than it was. I tried to convince people that going smaller could feel as stable as Microsoft. I tried to make ownership sound exciting without fully preparing people for the weight of it. The kind of ownership that changes how you show up every single day.

On one hand, it’s the most empowering thing you will ever feel. On the other hand, it’s hard. Really hard.

As I sit here almost five years in, thinking about the next twenty, I’m more excited than I have ever been about what we’re building and why. And the only thing that matters to me now is finding people who deeply and genuinely believe in this mission too.

I don’t want you to work here because you want to work with me.

I don’t want you to work here because you want to try a startup.

I don’t want you to work here because small sounds refreshing after years at a big company.

You should only want to work here if you truly believe in our mission.

Securing the world’s freedom to communicate.

That is the work.

We need a new foundation.

We need new rules.

We need open source and decentralized systems to bring trust back to the single most important thing in the digital world. Communication.

If that belief isn’t already in your bones, nothing I write here should convince you. And that’s okay.

But if it is, and if you’re the best in the world at what you do, and if you are obsessed with becoming more effective, more leveraged, and more impactful, then maybe it’s worth applying. Because there is one word that drives everything we do here. Leverage. Leverage is our operating system. It shapes every cultural norm, every system, every tool, every decision.

Our goal is simple. Help every person here become one of the most highly leveraged individuals on earth. Better tools. Better systems. Better teammates. Clearer priorities. Less noise. More output.

We measure ourselves with one ratio. Total messages sent on XMTP divided by total employees.

It forces us to build things that scale beyond headcount.

It forces focus.

It forces great systems.

It forces us to hire only when hiring increases the total leverage of the organization.

That is why we hire slowly and rarely.

That is why getting a job here is hard.

And it is intentional.

Here is something I did not understand early in my career. Something I wish someone had told me. For the few people who do get to work here, it is a chance to own and lead and grow in your career like never before.

We don’t hide how the company works.

We don’t shield people from hard decisions.

We want everyone here to learn everything there is to know about running and building a company.

Because the best thing about going small isn’t the speed. It isn’t the lack of red tape.

It is the learning. Seeing how it really works from the inside out.

Whatever you want to do after XMTP.

Start something. Lead something. Build something.

You will be better because of your time here.

You will leave with a level of judgment, ownership, and leverage you can’t get anywhere else.

If this resonates, take a look at the roles below.

If it doesn’t, that’s fine too. Please send this to someone you know who would thrive here.

— Shane

A Note About This Role

If your definition of “security” is limited to antivirus tools, annual audits, or checking boxes for compliance, this is not your role.

This role is for the person who understands that security is the foundation of XMTP’s mission - securing the world’s freedom to communicate. That mission is impossible unless the people building the protocol are protected at the highest level, across every system, device, environment, and interaction.

We’re not looking for someone who treats security as IT.

We’re looking for someone who treats security as strategic defense, operational rigor, threat anticipation, and cultural identity.

Someone who sees that social engineering and proximity attacks are often more dangerous than technical exploits.

Someone who can build a system, own it, evolve it, and ensure that every person and device connected to XMTP operates safely.

This role is not just cybersecurity.

It’s internal security, cyber defense, travel security, executive protection, risk management, operations, culture, and brand - all integrated under one leader.

If that excites you, read on.

Build the Future of Private Communication

XMTP Labs is building the future of messaging - secure, private, and decentralized.

Our open protocol, XMTP, enables a universal, secure communication layer for the internet. Convos, our flagship app, brings that vision to life with a privacy-first, interoperable messaging experience.

Security is not an add-on for us.

It is the mission.

We’re hiring a Head of Security / CSO to architect, operationalize, and own the end-to-end security posture of XMTP. From internal systems to cyber defense to travel protocols and executive protection, your work ensures that the people behind XMTP can build securely, and safely.

This is a foundational role shaping XMTP’s next decade.

Key Responsibilities

Security Strategy & Leadership

• Build and own XMTP’s comprehensive security strategy across internal, cyber, travel, and executive domains.

• Establish a layered defense model aligned with our mission: secure the world’s freedom to communicate.

• Create high-clarity frameworks for risk, readiness, response, and prioritization.

• Present strategy and risk assessments to leadership, investors, and external partners.

Internal & Operational Security

• Define and enforce device, tooling, authentication, and access standards.

• Oversee MDM, hardware key enforcement, internal permissions, and secrets management.

• Implement systems that assume compromise and minimize blast radius.

• Own security elements of onboarding and offboarding while partnering with our Ops team for execution.

Cybersecurity & Technical Defense

• Lead the digital defense of XMTP’s engineering, infrastructure, cloud systems, and protocol interfaces.

• Own threat detection, incident response, monitoring, and vulnerability management.

• Partner with Engineering to harden production environments, CI/CD pipelines, and secure key material.

• Ensure best-in-class security tooling across endpoints, authentication, and encryption.

Travel Security & Real-World Protection

• Architect the travel security program for staff attending conferences, hackathons, and high-risk environments.

• Build protections against proximity attacks, in-person targeting, device cloning, and social engineering.

• Standardize travel kits (Faraday protection, privacy screens, secure bags) and protocols.

• Train employees for situational awareness and safe operating procedures on the ground.

Executive Security

• Develop protocols for device hardening, travel safety, communications security, and identity protection for high-profile individuals.

• Establish response plans for impersonation, targeted phishing, and other executive-focused threats.

Culture & Brand of Security

• Partner with Brand and People Operations to embed security into XMTP’s identity - swag, onboarding, systems, and storytelling.

• Ensure every internal and external interaction signals XMTP’s security-first culture.

• Drive company-wide education that raises awareness and reinforces safe practices.

Vendor & External Partnerships

• Select and manage external security firms, penetration testers, and threat intelligence partners.

• Own contracts, performance, budgets, and strategic evaluations.

• Establish relationships with industry experts and security communities.

Systems, Documentation & Playbooks

• Maintain all security documentation:

  • Incident response

  • Travel protocols

  • Device standards

  • Engineering security guidelines

  • Internal training

• Run tabletop exercises and simulations to test readiness.

What We’re Looking For

• 8–15+ years in cybersecurity, information security, or operational security leadership roles.

• Experience owning security for high-growth or high-risk organizations.

• Deep understanding of both digital and physical security threats.

• Strong operational rigor — you build systems that people actually follow.

• Clear, direct communication; high trust and high accountability.

• Experience managing sensitive, time-critical incidents.

• Comfort working with decentralized systems, privacy tech, or Web3 concepts.

• A bias toward clarity, action, and ownership.

Nice-to-Haves

• Prior experience as a CSO, Head of Security, or equivalent

• Exposure to cryptography, open-source protocols, or privacy-focused companies

• Background in executive protection, travel security, or threat intelligence

• Experience with SOC 2 or ISO frameworks (without treating them as checkbox exercises)

Why This Role Matters

Because securing the world’s freedom to communicate starts with securing ourselves.

Because our risk surface is growing.

Because visibility is rising.

Because trust must be earned through discipline, not declarations.

This role protects the mission at its foundation.

You Might Be a Fit If…

• You think about security holistically — people, devices, systems, and environments.

• You’re calm under pressure and decisive when it matters.

• You understand how attackers think and how teams behave in the real world.

• You care deeply about privacy, safety, and user trust.

• You want your work to have global, meaningful impact.

• You want to build and protect the most secure communication ecosystem on earth.

Compensation & Benefits

Base Salary: $225,000 – $300,000 (Dependent on level - Director, Head, or CSO)

Equity: Meaningful early-stage ownership

Benefits Include:

• Fully paid Medical, Dental, Vision

• Parental leave

• Wellness & lifestyle stipend

• Remote-first + equipment budget

• Personal assistant support

• Unlimited PTO

• Semi-annual IRL gatherings

Compensation Range: $225K - $300K