Engineering Manager, Application Security

Qualia•Austin, TX

4d•Remote

About The Position

Qualia is seeking an entrepreneurial Engineering Manager to lead its Application Security team. This is a hands-on role focused on redesigning the AppSec function with a strong emphasis on AI-assisted workflows. The team currently handles secure design reviews, vulnerability triage, internal penetration testing, incident response support, and security tooling for a JavaScript/NodeJS and Kubernetes stack. The manager's mandate is to scale these operations by integrating AI for automated pen testing, AI-driven triage of SAST/DAST/SCA findings, agentic review of engineering proposals, and continuous red-teaming. The role involves close collaboration with Platform, Infra, and product engineering leaders to embed security early in the development lifecycle and to define the security vision for the next two years, including anomaly detection, model-driven threat hunting, and defense against AI-enabled attackers. The Application Security team is responsible for securing the platform's data, identities, and documents.

Requirements

5+ years as a security or full-stack engineer working on production systems, with 2+ years managing a security or platform engineering team
Hands-on depth in application security: threat modeling, code review, and at least one offensive-security discipline (pen testing, red team)
Track record of shipping automation that changed how a team worked - ideally including meaningful use of LLMs, agents, or ML in a security or engineering workflow
Comfort operating across the full security lifecycle: prevention, detection, response, and recovery
Strong written communication. You can write the design doc, the post-mortem, and the board-ready summary - and you can tell a product engineer why their proposal needs to change without shutting down the conversation
Keen product sense and a bias toward measurable impact. You care whether the risk actually went down, not whether a ticket got closed

Nice To Haves

Experience in fintech, real estate tech, or another regulated, high-liability domain preferred
Background designing or operating anomaly-detection systems on production traffic, auth logs, or financial transactions
Published research, CVEs, or conference talks in AppSec, offensive security, or AI security.
Familiarity with the evolving landscape of AI-enabled offense (prompt injection, model abuse, agent exploitation) and defense

Responsibilities

Lead and grow the Application Security team - coaching senior AppSec engineers, setting goals, and owning delivery against the security roadmap
Build the automated pen-testing program. Stand up pipelines that run continuous, AI-assisted offensive testing against our services, APIs, and web properties - and turn the output into a triaged, actionable queue
Scale triage with AI. Design the workflows and tooling that let the team handle 10x the volume of findings (bug bounty, scanner output, customer reports) without 10x the headcount
Review engineering proposals. Sit at the front of the design process with engineering leaders across Core, Clear, Shield, Connect, and Atlas - reviewing RFCs and proposals, flagging risk early, and helping teams ship securely by default
Run red-teaming exercises. Drive recurring red team engagements - both internal exercises and coordinated vendor work - and close the loop into detection, response, and product hardening
Own the AppSec vision. Partner with the leadership team to set multi-quarter strategy across anomaly detection, threat modeling, and AI-augmented defense
Fight fires when they happen. Lead incident response from the application security side, and be the person engineering trusts to make the call in the room
Mentor and hire. Recruit strong AppSec engineers, mentor the ones you have, and build a team culture where people are pushed and supported in equal measure