Application Security Engineer
About The Position
Arcadia is the global utility data and energy solutions platform. With our leading data platform, AI-powered analytics, industry expertise, and expansive partner network, we deliver solutions for every stage of the enterprise energy management lifecycle across carbon, cost, and reliability. Arcadia’s Enterprise Energy Management Solutions are built on a foundational data platform that has been developed for over a decade and scaled across millions of customer facilities. We transform fragmented data and siloed processes into coordinated, enterprise-wide action with comprehensive solutions including: Utility Bill Management: Lower utility costs and streamline bill management with automated bill payment, proactive error identification, optimized tariff structures, and budgeting & forecasting. Energy Procurement Advisory: Source clean energy through a comprehensive evaluation of supply options - including traditional retail options and onsite and offsite resources — to effectively manage risks, reduce costs, and achieve corporate sustainability goals. Sustainability Reporting: Achieve compliance goals and track carbon emissions with standardized energy data and seamless integration with leading sustainability platforms. Tackling an enterprise client’s most critical energy challenges requires out-of-the-box thinking & diverse perspectives. We’re building a team of individuals from different backgrounds, industries, & educational experiences. If you share our passion for ushering in the era of the clean, cost-effective electrons, we look forward to learning what you would uniquely bring to Arcadia! We are seeking a technically hands-on Application Security Engineer to join the Information Security team. This individual will own the vulnerability management lifecycle across our SAST, DAST, and SCA tooling, integrate security automation into the CI/CD pipeline, perform threat modeling of product and engineering designs, and serve as a trusted advisor to our 300+ person engineering organization. The ideal candidate is a builder who would rather automate a finding than file a ticket, and who can explain a critical vulnerability to a junior developer without making them feel two inches tall. Arcadia is headquartered in Washington, DC, and open to fully remote candidates.
Requirements
- 3–5 years of dedicated Application Security experience in a SaaS or cloud-native environment.
- Hands-on proficiency with at least two of the following: SAST, DAST, SCA, or CSPM tooling (e.g., Snyk, Checkmarx, Semgrep, Wiz).
- Strong working knowledge of CI/CD pipelines (e.g., GitHub Actions, Jenkins, GitLab CI) and the ability to write and maintain pipeline integrations.
- Experience with container security (Docker, Kubernetes) and API security patterns (REST, GraphQL).
- Demonstrated ability to communicate technical risk to non-security engineers in a way that drives action, not anxiety.
Nice To Haves
- Experience standing up or maturing a Security Champions program.
- Familiarity with cloud-native AWS security services (GuardDuty, Security Hub, IAM Access Analyzer).
- Exposure to threat modeling frameworks (STRIDE, PASTA, or lightweight equivalents).
- Relevant certifications (OSCP, GWAPT, CSSLP) — valued but not required.
Responsibilities
- Own the end-to-end vulnerability management lifecycle: triage, prioritize, and drive remediation of findings from SAST, DAST, and SCA tooling in partnership with engineering squads.
- Maintain, optimize, and extend security tooling integrations within the CI/CD pipeline with the goal of automating everything that can be automated.
- Launch and run a Security Champions program, including workshops and office hours, to embed security knowledge directly into development teams across multiple geographies.
- Act as the application-layer subject matter expert during security incidents, supporting triage, root cause analysis, and remediation.
- Partner with Product and Engineering leadership to introduce security touchpoints earlier in the SDLC, including threat modeling and design review processes.
Benefits
- "Remote first" culture - work anywhere in the US as long as you have a reliable internet connection
- Flexible PTO - no accrued hours and no limit on the number of vacation days exempt employees can take each year
- 12 annual holidays
- 10 days sick leave
- Up to 4 weeks bereavement leave
- 2 volunteer days off
- 2 professional development days off
- 12 weeks paid parental leave for all parents
- 75-95% employer cost coverage for medical, dental, and vision benefits for employees and dependents
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Mid Level
Education Level
No Education Listed
Number of Employees
251-500 employees
