Principal Security Researcher

About The Position

Requirements

• Strong experience in application security, red teaming, penetration testing, vulnerability research, product security, or offensive security.
• Hands-on experience testing modern web applications, APIs, authentication flows, authorization models, cloud services, and distributed systems.
• Experience developing proof-of-concept exploits or clear technical demonstrations to validate security impact.
• Firm grasp of common software security risks, secure design principles, identity and access controls, data protection, and secure development practices.
• Experience partnering with engineering, product, or R&D teams to triage, prioritize, and remediate vulnerabilities end-to-end.
• Excellent written and verbal communication skills, with the ability to write clear technical reports, executive summaries, remediation guidance, and public-facing research, and to explain trade-offs to engineers, PMs, and leadership.
• Strong judgment around responsible disclosure, customer impact, confidentiality, and coordinated communication.
• Pragmatic at distinguishing theoretical risk from practical risk, with the instinct to help teams focus on what matters most.
• Comfortable operating with ambiguity and moving with urgency across hands-on testing, product security, incident support, and external coordination.
• Track record of driving measurable risk reduction in a fast-moving technical environment.

Nice To Haves

• Experience with AI security, LLM security, prompt injection, jailbreaks, agentic workflows, model abuse, or secure AI product development.
• Experience in legaltech, fintech, healthtech, or another environment that handles highly sensitive customer data.
• Experience managing or participating in bug bounty programs, responsible disclosure programs, or external researcher communities.
• Experience publishing security research, speaking at conferences, or contributing to the broader security research community.
• Familiarity with enterprise security expectations and compliance frameworks such as SOC 2, HIPAA, GDPR, or emerging AI governance frameworks.

Responsibilities

• Identify security risks across the company and partner with the relevant teams to reduce them.
• Lead active red teaming, application security testing, penetration testing, exploit validation, and adversarial analysis.
• Conduct original security research on legal AI, LLM-enabled products, sensitive document workflows, prompt injection, data leakage, model misuse, and tool abuse.
• Coordinate third-party penetration tests, red team exercises, audits, and other external security assessments.
• Own external vulnerability reports — bug bounty submissions, responsible disclosure reports, researcher communications, triage, validation, prioritization, and remediation tracking.
• Drive threat modelling and secure design reviews for new products, features, AI workflows, integrations, and infrastructure changes.
• Partner with R&D and Engineering to surface trust boundaries, abuse cases, and data exposure risks early in development.
• Support Security Operations during incident response by reproducing vulnerabilities, validating exploits, assessing impact, and recommending remediation.
• Engage with frontier AI labs, external researchers, vendors, and the broader security community to stay current on AI safety and security developments.
• Publish security research, advisories, technical writeups, blog posts, or conference talks where aligned with company priorities.
• Define and improve repeatable processes for security research, testing, vulnerability management, and remediation across Spellbook.
• Support with other responsibilities and projects as required.

Benefits

• Company-paid group benefits for you and your family
• $1,000 towards mental health support
• Holiday closure
• Generous time off policies
• Monthly paid meals
• Annual wellness allowance
• Parental leave top-ups
• Competitive stock option grants