Principal Security Engineer

About The Position

Requirements

• Bachelor's degree in Cybersecurity, Computer Science, AI/ML, or a related technical field.
• 10+ years of experience in security engineering, security architecture, or software engineering, with at least 5+ years in Application Security. Demonstrable experience applying AI/ML in cybersecurity is preferred.
• Expertise in AppSec tools (Checkmarx, Veracode, Snyk, SonarQube, etc.) and integrating them into modern CI/CD workflows.
• Hands-on experience building or integrating AI/ML pipelines for use in threat detection, anomaly detection, or predictive risk modeling.
• Strong background in secure coding, microservices architecture, and defending APIs, web apps, and serverless environments.
• Proficiency in Python or similar languages for scripting, data processing, and automation.
• Familiarity with LLMs and generative AI platforms (e.g., OpenAI, Claude, Gemini) and their security implications.
• Deep understanding of cloud-native technologies (Kubernetes, containers, serverless) and corresponding security controls. This includes general cloud security concepts as well (CSPM, CNAPP)
• Ability to translate complex security and AI concepts to stakeholders across technical and non-technical roles.

Nice To Haves

• Master’s degree preferred
• Certified Information Systems Security Professional (CISSP)
• Certified Secure Software Lifecycle Professional (CSSLP)
• Certified Cloud Security Professional (CCSP)
• GIAC Cloud Security Automation (GCSA)
• GIAC Web Application Penetration Tester (GWAPT)
• GIAC Machine Learning & Artificial Intelligence (GMLE) (or equivalent)

Responsibilities

• AI & Automation-Driven Security
• Design and implement AI-powered security frameworks to enable adaptive, intelligent detection, prevention, and response capabilities across applications, cloud environments, and infrastructure.
• Integrate machine learning and behavior analytics into threat detection pipelines to automate identification of anomalies, insider threats, and unknown attack patterns.
• Lead development of predictive risk scoring engines using contextual telemetry, identity signals, and threat intel to prioritize and automate responses.
• Architect autonomous security workflows using SOAR, LLM agents, and API integrations for a variety of use cases, particularly those that are considered "AI for Security orgs."
• Prototype use cases for generative AI, such as automated threat summaries, vulnerability triage, security policy generation, and chatbot assistants for security engineering.
• AI & Application Security
• Provide principal-level application and AI security guidance to non-engineering teams, including IT, HR, Legal, Finance/Accounting and other business functions helping them understand and manage application and AI-related risk.
• Partner with Avalara’s Product Security organization to adopt, support, and reinforce existing secure SDLC standards, tooling, and processes
• Perform independent risk analysis and threat modeling for applications, platforms, and AI-enabled workflows that fall outside normal Engineering activities or require cross-domain review.
• Serve as an escalation and second-line advisory resource for high-impact application and AI security risks, providing risk-based recommendations.
• Advise on secure design patterns for authentication, authorization, API security, and data protection, aligning recommendations with established practices and technology choices.
• Support security assessments of AI-enabled product and internal features, contributing expertise in LLM threat modeling, abuse-case analysis, and emerging AI-specific risks, in coordination with Product Security and Engineering teams.
• Cloud & Platform Security
• Define and review cloud security reference architectures across AWS, Azure, and GCP, with an emphasis on zero-trust principles and identity-driven access controls.
• Partner with platform and infrastructure teams to harden preventive controls against cloud misconfiguration and drift.
• Evaluate cloud security tooling and platforms, including AI-assisted capabilities, to improve visibility, prioritization, and operational efficiency while maintaining auditability and control.
• Serve as an escalation point for complex or high-impact cloud security risks, influencing remediation strategies and risk acceptance decisions.
• Enablement & Governance
• Mentor non-engineering teams on AppSec best practices and AI safety principles.
• Define security metrics and dashboards to track effectiveness of AI and AppSec initiatives.
• Contribute to Avalara’s broader AI governance efforts, ensuring responsible and secure use of AI in both platform and enterprise environments.

Benefits

• In addition to a great compensation package, paid time off, and paid parental leave, many Avalara employees are eligible for bonuses.
• Benefits vary by location but generally include private medical, life, and disability insurance.
• Avalara strongly supports diversity, equity, and inclusion, and is committed to integrating them into our business practices and our organizational culture. We also have a total of 8 employee-run resource groups, each with senior leadership and exec sponsorship.