Galaxy
Associate, Security Engineer (Vulnerability Management)
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Galaxy
Galaxy is a global financial services firm based in New York City, specializing in digital assets and data center infrastructure. Founded in 2018 by Michael Novogratz, the company operates through two main segments: Digital Assets and Data Centers. It provides institutional-grade solutions that connect traditional finance with blockchain, cryptocurrency, and artificial intelligence. The Digital Assets Platform offers a range of services, including trading, lending, derivatives, staking, asset management, and advisory services. Galaxy also develops and operates data centers focused on high-performance computing (HPC) and AI workloads, addressing the growing demand for scalable energy and compute solutions. Recently, Galaxy launched GalaxyOne, a platform for individual U.S. investors, providing opportunities for cash yields and trading in crypto and equities. The firm emphasizes regulated and scalable solutions for both institutional and retail clients.
Security at Galaxy
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
- Galaxy's AppSec philosophy prioritizes building products and services securely by design and integrating security into the software engineering lifecycle.
- Their culture emphasizes being 'Highly Aligned, Loosely Coupled'.
- They aim to enable developers by providing training and thought leadership for secure software development practices, assisting teams with mitigation, and helping engineers understand vulnerabilities.
- Their risk philosophy includes threat modeling, risk assessment, and controls review, with a focus on ensuring technology teams adhere to SLAs for vulnerability triage and remediation.
Security Team
Galaxy's AppSec team roles 'report to the Director of Product Security' or 'reports directly to the Director of Product Security'. Public-facing leader names (top 1–3) are not publicly available, as no named Director of Product Security or ProdSec leader was found. Team size estimate is also not publicly available. As of, there are 3 active AppSec job postings: Director, Product Security; VP / Senior Product Security Engineer; and Associate Security Engineer (Vulnerability Management). Common skills and tools called out in postings include 'Managing SAST, DAST, SCA', scripting/programming, cloud security patterns, threat modeling, and 'Leverage AI-driven tools for efficient data analysis'.
Key Initiatives
Evidence suggests a security champions or guild model, with postings including 'Develop a cadre of primary contacts with associated cyber security interests across the engineering team following a guild or practice model'. Shift-left practices are evident, as roles require participation 'throughout the software lifecycle' and to 'integrate security into the software engineering lifecycle'. The vulnerability management process involves tracking and reporting remediation progress, and coordinating with engineering teams to validate, assign, and prioritize vulnerabilities. Intake sources mentioned include SAST/DAST/SCA and 'Bug Bounty programs'. SLAs are required for vulnerability triage and remediation. Secure SDLC artifacts include participation in 'design and code reviews' and assisting with 'development and review of test plans'. Recent initiatives (last 6 months) are not publicly available.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.