Did their security engineering loop recently for an AppSec role. This one is a bit different from a standard SWE loop so worth a dedicated post.
Robinhood's security function has grown a lot since some of their public incidents a few years back. They have AppSec, cloud security, and a detection/response team, and the interview process varies somewhat by track. My experience was AppSec, so that's what I'll speak to.
Structure: Recruiter screen (30 min, mostly culture and role expectations) Technical phone screen with a security engineer (45 min) Virtual onsite: 4 rounds
Phone screen was a mix. They started with threat modeling: I was given a short description of a fintech feature (something like a P2P payment flow) and asked to walk through threats. Not a whiteboard, just talking through it. They also asked about common web vulns, OWASP top 10 type stuff, but not in a checkbox way. More "describe a time you found an injection vuln in production and what the blast radius was."
Onsite rounds: Secure code review: They gave me a code snippet (Python, realistic fintech business logic, not a toy example) and asked me to identify vulns. I found an insecure deserialization issue and a race condition in the payment handling. Missed a subtle SSRF. They weren't grading for gotchas, they wanted to see how I reasoned. System design with a security lens: Design a secrets management system for a company at Robinhood's scale. Not just infrastructure design, they wanted threat modeling baked in. What fails, how does it fail, who's your attacker. Behavioral / leadership: Standard STAR format. They really pushed on cross-functional influence: how do you get a product team to actually fix a vuln they've deprioritized. That's a real problem in AppSec and they know it. Craft interview with a senior eng: A deeper dive on one past project I'd done in AppSec. Brought my own material, walked them through a pen test engagement. Questions got pretty specific.
What mattered: Depth over breadth. They can tell immediately if you're pattern-matching on "I know OWASP" without having shipped anything. The secure code review will find you out.
Comp: I didn't accept but the offer was $190k base for senior AppSec, NYC, with RSU on a 4-year vest. That's fair for the role but not top of market for security in fintech.
Happy to answer questions on the loop.