Lead Application Security Engineer

About The Position

Requirements

• 4+ years in application security, product security, or offensive security at a SaaS company, including time owning security for a production platform.
• Strong hands-on web application pen testing skills. You can find real bugs in real code, not just run scanners.
• Deep experience reviewing code in TypeScript / Node and Python. You're comfortable reading and writing code, not just reviewing it.
• Strong background in web application security: OWASP Top 10, auth and authorization design (OAuth, OIDC, SAML, SSO), multi-tenant isolation, and modern API security.
• Practical experience with cloud security in GCP and Azure, plus container and Kubernetes security (AKS or similar).
• Experience managing pen tests, bug bounty programs, or responsible disclosure programs end to end.
• Track record of partnering with engineering rather than blocking them. You ship paved roads, not tickets.
• Excellent written communication. You can write a Slack post that engineers actually want to read, a finding writeup that's genuinely actionable, and a security review that an enterprise prospect respects.
• A strong internal sense of urgency and a bias toward shipping today rather than tomorrow.

Nice To Haves

• Experience securing AI / LLM features in production: prompt injection defenses, agent guardrails, and AI-specific threat modeling.
• Series B or earlier experience where you built or scaled a security function from limited scaffolding.
• OSCP, OSWE, or comparable hands-on offensive security credentials.
• CVE credit, published research, or contributions to open-source security tooling.
• Experience designing security as customer-facing product (SSO domain verification, SCIM, IP allowlisting, audit logging, RBAC).
• Background supporting enterprise customers in regulated industries.

Responsibilities

• Own application security across Ivo's web app, API surface, and the systems behind them.
• Find and fix bugs. Hunt for vulnerabilities in our own product through hands-on testing, code review, and offensive-minded experimentation, and partner with engineers to ship the fix.
• Lead manual code review for security-sensitive changes: authentication, authorization, multi-tenancy, integrations, and customer data handling.
• Run threat modeling with engineering as new features and products are designed, across the full product surface including LLM and agent components.
• Manage our pen test program and ad-hoc engagements end to end. Scope work, manage vendors, triage findings, and drive remediation to closure with engineering.
• Run our responsible disclosure program, including researcher communications, validation, payments, and ongoing relationships with trusted external researchers.
• Build and maintain our application security tooling: SAST, DAST, SCA, secrets detection, and IaC scanning, with a strong bias toward signal over noise.
• Embed security into the SDLC: PR-time checks, security champions, design review gates, and secure-by-default patterns engineers actually want to use.
• Conduct deep reviews of identity and access surfaces (Firebase Auth, WorkOS, SSO, SAML, SCIM, RBAC) and partner with product on customer-facing security features.
• Investigate suspected security issues and lead application-layer incident response alongside engineering.
• Contribute application security input to enterprise security reviews, SOC 2 Type II, ISO 27001, ISO 42001, and customer-facing trust documentation.
• Mentor engineers on secure coding and be the go-to expert when teams have a security question.

Benefits

• Competitive Compensation: The USD base range for this role is $225,000 - $400,000 (+equity would be on top of this). Final offer details are determined based on experience, expertise, and overall fit.
• Relocation and Visa Support: We also offer relocation assistance for successful applicants moving to SF, as well as support for visa and green card applications where applicable.
• Medical benefits: Comprehensive medical, dental and vision plans to suit the needs of you and your family.
• 401(k) Program: Plan for your future with access to our company-sponsored 401(k) program.
• Commuter Benefits: We provide commuter benefits to help make getting to and from the office easier and more convenient.
• Unlimited PTO: So you can take the time you need to recharge, stay healthy, and bring your best self to work.
• Office Perks: Enjoy a vibrant Downtown San Francisco office with catered lunch provided five days a week, premium snacks and coffee, a gym located in the building, and a dog-friendly environment!