Principal Engineer — Product & Application Security

FreshworksSan Mateo, CA
$241,000 - $298,000Hybrid

About The Position

We are looking for a Principal Engineer — Product & Application Security to be the top technical authority for how Freshworks builds secure software. As an IC6 Principal, you set the multi-year security technical vision for our products and platform, make the calls on our hardest security-architecture problems, and are the person the company relies on when the stakes are highest — across a multi-tenant SaaS estate serving 72,000+ customer accounts and hundreds of integrations. As Freshworks evolves from a suite of service products into an AI-first system of business intelligence — with autonomous agents, a Knowledge and Context Graph, and a growing agentic surface — the security bar must rise with it. This role goes beyond leading individual reviews and remediations: you define the secure-by-design paradigms, reference architectures, and organization-wide standards that determine how thousands of engineers ship, and you drive the strategic bets (AI/agent security, supply-chain integrity, zero-trust data protection) that keep Freshworks ahead of the threat curve. You will operate as a company-wide force multiplier — writing code and reference implementations, setting technical direction that outlives any single project, mentoring Staff and Senior Staff security engineers, and partnering directly with VP Engineering, the CISO organization, and product leadership to make security a durable competitive advantage.

Requirements

  • 12+ years in software engineering and/or security, with deep, sustained hands-on ownership of application/product security for production SaaS at enterprise scale
  • Track record as a Principal-level (or equivalent) individual contributor whose technical vision and standards shaped an entire engineering organization — you have defined direction that outlived individual projects
  • Deep experience securing multi-tenant, cloud-native SaaS platforms (ideally on AWS), including tenant isolation, authN/authZ, and API security at scale
  • Demonstrated impact eliminating vulnerability classes and setting the security frameworks, reference architectures, or paved roads adopted org-wide
  • Authoritative, current knowledge of application security anchored in OWASP frameworks — Web Top 10, API Security Top 10, ASVS, the LLM Top 10, and the newer OWASP Agentic AI Top 10 (the real-world attack classes targeting autonomous agents) — plus secure design patterns, authentication/authorization (OAuth 2.0, OIDC, SAML, SCIM), session management, and cryptography
  • Mastery of threat modeling (e.g., STRIDE), secure code review, and both manual and AI-assisted penetration testing across web, API, and cloud surfaces
  • Deep experience embedding security into CI/CD at scale: SAST, DAST (e.g., Snyk, Snyk Code), SCA, secret scanning, IaC scanning, artifact-repository management (e.g., Sonatype Nexus), and container/Kubernetes security aligned to the OWASP Kubernetes Top Ten (RBAC, workload isolation, supply-chain, and misconfiguration risks)
  • Strong coding ability in one or more of Ruby, Java, Go, Python, or JavaScript/TypeScript — enough to build reference implementations and security tooling and to be credible in any code review
  • Deep cloud security expertise (AWS preferred): IAM and role right-sizing, network/egress controls, KMS/secrets management, BYOK/field-level encryption, and infrastructure-as-code (Terraform/CloudFormation)
  • Authoritative grasp of cryptographic and compliance standards relevant to enterprise SaaS — e.g., FIPS 140-2/140-3, PCI, SOC 2, ISO 27001, and Google CASA / TX-RAMP control frameworks
  • Deep understanding of securing AI/LLM and agentic systems — including Claude and other LLM security concerns such as prompt injection, insecure tool use, model/data exposure, and non-human identity
  • Ability to set technical direction for and influence an entire engineering organization — and senior executives (VP/CISO) — through technical credibility and clear communication
  • A genuine service-oriented, "make the secure path the easy path" mindset toward internal developers
  • A multiplier: track record of growing Staff and Senior Staff engineers and building a durable security-champion culture across distributed teams

Nice To Haves

  • Deep experience securing ITSM, CX/CRM, or service-management products and their data models
  • Recognized external contributions: open-source security projects, published research, CVEs, standards bodies, or conference talks (e.g., Black Hat, DEF CON, OWASP)
  • Industry certifications such as OSCP, OSWE, GWAPT, CISSP, or equivalent (valued, not required)
  • Experience defining or scaling bug bounty / responsible-disclosure programs
  • Deep familiarity with modern AI/ML stacks — LLMs, embeddings, RAG pipelines, and agent frameworks (LangGraph, MCP, A2A) — and their security models
  • Experience shaping compliance and audit programs (SOC 2, ISO 27001, FedRAMP, GDPR)

Responsibilities

  • Own the multi-year technical vision and architecture strategy for product and application security across all Freshworks products (Freshdesk, Freshservice, and the shared Platform), and drive alignment on it across engineering and the CISO organization
  • Define the secure-by-design reference architectures, paradigms, and organization-wide standards (authN/authZ, tenant isolation, data protection, secrets, API security) that thousands of engineers build against
  • Set the strategic security agenda for the AI-first platform — securing the AI Agent Platform, Knowledge/Context Graph, and agentic workflows — anticipating threat classes before they reach production
  • Act as the final technical decision-maker and tie-breaker on the hardest, highest-risk security-architecture trade-offs
  • Lead threat modeling and security design reviews for the most critical, cross-cutting, and highest-risk systems — including identity and access, the integrations/connector framework (300+ apps), and the agent runtime
  • Set the standard for secure code review, manual and AI-assisted penetration testing, and vulnerability analysis; drive root-cause remediation strategies that eliminate whole vulnerability classes across the estate, not one bug at a time
  • Architect and harden multi-tenant security controls: strict tenant isolation, authentication/authorization models, secrets management, data protection, and API gateway security
  • Own the security design for AI/agentic features — prompt injection defense, tool-invocation authorization, non-human identity, and permission-scoped context access
  • Define the organization-wide, AI-assisted left-shift strategy: how SAST, DAST (e.g., Snyk), SCA/dependency scanning, secret detection, and IaC scanning are embedded across every CI/CD pipeline to catch issues before production
  • Set the direction for security tooling, automation, and paved-road frameworks and libraries that make the secure path the default path — including code-component asset inventory (API/SBOM/RBAC/secrets/integrations) and secure-by-default product hardening
  • Own the software supply-chain security strategy: centralized software artifact repository management (e.g., Sonatype Nexus), code artifact repository guardrails, and CI/CD pipeline hardening
  • Establish secure coding standards, golden patterns, and guardrails; operationalize threat modeling and maturity models (SAMM) across the product portfolio; and define the security quality gates the whole org is measured against
  • Serve as the top technical escalation point for the most severe security incidents — leading investigation, containment strategy, and post-incident architectural hardening
  • Set the risk-based prioritization framework for findings from internal testing, bug bounty, third-party pen tests, and researcher disclosures, and drive systemic fixes
  • Shape the strategy for the bug bounty and responsible-disclosure program
  • Act as the recognized top IC authority for product security — mentoring and multiplying Staff and Senior Staff engineers and security champions, and raising the security bar across the entire engineering organization
  • Influence company-level strategy: advise VP Engineering, the CISO organization, and product leadership; represent Freshworks' product-security posture to enterprise customers, auditors, and (where appropriate) the external security community
  • Drive cross-organizational security initiatives to completion through technical credibility and clarity — building consensus across many teams without formal authority
  • Define the security KPIs the organization is held to: reduction in high/critical findings reaching production, coverage of critical services by threat models, mean time to remediate, and adoption of secure-by-default frameworks
  • Deliver a measurable, sustained reduction in exploitable risk across the entire product portfolio while improving — not slowing — engineering velocity

Benefits

  • multiple options for dental, medical, vision, disability, and life insurance
  • Equity + ESPP
  • flexible PTO
  • flexible spending
  • commuter benefits
  • wellness benefits
  • adoption and parental leave benefits
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service