⚡️ Founding Full Stack Software Engineer ⚡️

tl;dr

We're rebuilding bank compliance as an engineering problem. Today, auditors sample 5% of a fintech's files by hand and write findings in spreadsheets. We run the actual math on 100% of them — every dispute, every statement, every adverse-action notice — with deterministic rules and LLM-as-judge evaluation. You'll be one of the first engineers, building the agents and pipelines that reperform a bank's compliance at population scale. If you've shipped real LLM systems and want them to do something that matters, let's talk.

Why this exists

Before a fintech can issue a loan, send a statement, or resolve a dispute, its partner bank has to prove the whole operation followed the rules — Reg E, TILA, FCRA, SCRA, UDAAP, and dozens more. The way that's checked today hasn't changed in decades: consultants pull a small sample, eyeball it, and hope the other 95% looks the same.

It usually doesn't. On one Reg E engagement we reperformed the error-resolution math on 14,000+ disputes and surfaced timing and provisional-credit violations that no sample would have caught. On a TILA engagement we rebuilt daily balances and finance charges from raw platform data and found a systematic interest-method bug the bank had been disclosing incorrectly for months.

That's the wedge: compliance testing is a verification problem, and verification problems are engineering problems. We test everything, we show our work, and we hand banks evidence an examiner will accept.

The founders

Esty (CEO) dropped out of NYU's CS program at 19 and taught herself security well enough to earn the CISSP and OSCP. She built AI-based security systems at Invoca and led R&D at Buggy before this, and she still approaches compliance the way she approached pentesting — assume the system is broken and go find where.

Bivu (CTO) spent a decade in ML engineering, including leading IVR fraud detection at Pindrop — a system that six of the ten largest U.S. banks now run in production.

Shiboleth started as a deepfake-audio-detection research project that ended up on stage at Black Hat and then in TechCrunch. The through-line we kept hitting: security had matured into a real engineering discipline with continuous monitoring and standards, and compliance — a bigger, more regulated market — had almost none of that. We started Shiboleth to close that gap.

What you'll work on

• Agentic reperformance. Building agents that reconstruct what a statement, notice, or dispute resolution should have been from raw data — recalculating minimum payments, interest, and finance charges, then comparing against what the consumer actually received.
• Context engineering for regulation. Turning dense regulatory text and bank-specific test requirements into specifications an LLM-as-judge can apply consistently across populations of hundreds of thousands of records.
• Population-scale pipelines. Ingestion, normalization, and PII redaction over messy SFTP/PGP feeds and warehouse data, feeding deterministic SQL rules and model-based evaluation.
• Evidence, not vibes. The hard part isn't the verdict — it's assembling defensible, examiner-ready evidence for every one of those verdicts.

Your first 90 days

• Month 1: Ship your first end-to-end rule suite for a live partner bank — owning it from raw data ingestion through evidence output, in production, with a real customer reading the results.
• Month 2: Take ownership of a piece of core platform — likely the agentic reperformance layer or the LLM-as-judge evaluation harness — and improve its accuracy and consistency on a domain you hadn't seen before.
• Month 3: Lead a new regulatory domain end-to-end (we're actively expanding into new test targets), proving the engine generalizes beyond what one person could have hand-coded.

We ship to production daily. You'll have customer-facing impact in week one, not quarter two.

What we're looking for

This is a founding engineer role, not a specialist one. We care more about how you think than which frameworks you've memorized. The people who thrive here usually:

• Reason from first principles. A physics, math, or competitive-programming background is a strong signal — not for the credential, but for the habit of decomposing an unfamiliar problem and testing hypotheses against reality.
• Are comfortable being fuzzy. Compliance is ambiguous, our roadmap moves, and you'll context-switch across regulatory domains constantly. You're someone who can hold uncertainty and still ship.
• Communicate exceptionally well. This is near the top of our list. You'll work directly with banks and translate between regulation, code, and customers — clear thinking on the page and out loud matters as much as clean code.
• Own problems end-to-end. Customer obsession over ticket-closing. You don't hand off at the edge of your function; you follow the problem until the customer's outcome is right.
• Are product-minded. Backend depth in Python (we run Django) and experience shipping real LLM systems — RAG, agentic workflows, evaluation harnesses — are genuinely useful here. But product judgment beats stack mastery, and a security background, while interesting, isn't required.

A fintech, banking, or consulting background is a plus — regulatory familiarity shortens the ramp. But what we're really hiring for is someone who finds it interesting that a $0.09 discrepancy on a minimum payment is a finding.

We believe regulatory compliance shouldn't be a bottleneck on financial innovation, and that the way you earn a bank's trust is by showing your work — both of which shape how we build.

Logistics

• San Francisco, hybrid. We value in-person collaboration but aren't dogmatic about a 5-day mandate.
• Founding-level equity and salary.
• We can't sponsor visas right now, and we're hiring in U.S. time zones.

If this sounds like your kind of problem, reach out — a short note about something hard you've shipped goes a long way.