Senior Application Security Engineer

About The Position

Requirements

• 6+ years engineering experience, with 4+ in a dedicated AI Application Security / Product Security role at a SaaS or cloud-native company. Not a consulting / audit background.
• Development background , hands-on and recent. You write code, not just review it. You can read PRs fluently in at least two of Python, TypeScript / JavaScript, Java / Kotlin, or Go, and you are comfortable in Terraform, Helm, and Kubernetes manifests.
• Hands-on experience with agentic AI and MCP development. You have personally built with, integrated, or operated agentic tooling. Examples that qualify: built an MCP server; integrated Claude Code, Cursor, or Copilot into a real engineering workflow under governance; worked with autonomous coding agents or harnesses; built or hardened an agent gateway; shipped guardrails for prompt injection, jailbreak resistance, or output sanitization in production.
• Production operation of a SAST / SCA pipeline at scale , Snyk, Semgrep, GitHub Advanced Security, Checkmarx, Veracode, or equivalent , including rule authoring, false-positive tuning, and CI/CD integration.
• Demonstrated ownership of a threat modeling or developer security training program , founder or substantial contributor. You can describe the artifacts, the integration into the design process, and the metrics that proved it worked.
• Layered security thinking. Defense-in-depth across code, contract, behavior, simulation, and data. You can speak to how findings at one layer propagate to others, and how to design for compounding control rather than redundant control.
• Strong written communication. You author policy, guidance, runbooks, and PR comments that engineers read and act on.

Nice To Haves

• Open-source contributions to a SAST / SCA tool, a security linter, an MCP server or framework, an agent harness, or a threat modeling tool.
• Experience shipping a deterministic compliance gate that an external auditor accepted as equivalent to human review.
• API security and DAST experience (Burp Suite, ZAP, Akto) and modern container / Kubernetes security (admission controllers, runtime protection, supply chain attestation).
• AWS security depth (IAM, KMS, GuardDuty, Security Hub, Organizations) and exposure to AI/ML production environments.
• Security partner on a customer-facing posture dashboard or DDQ response process, ideally in a regulated industry.
• Public writing or speaking on developer security, AI/agent security, or AppSec automation.
• Pre-IPO experience or familiarity with SOC 2 Type II, ISO 27001:2022, ISO 42001, SOX, GDPR.
• Certifications: OSWE, OSCP, CSSLP, AWS Security Specialty, or CISSP.

Responsibilities

• Operate and continuously tune the SAST, SCA, secrets-detection, and SBOM pipeline.
• Design, ship, and harden the deterministic security gates that make AI-authored PRs auditably equivalent to human-authored ones.
• Review human-authored and agent-authored PRs, catching the semantic violations static analysis misses. Co-submit AI-generated patch proposals so human effort scales as review-and-merge, not authorship.
• Drive findings to closure at the class level, fix a token-handling bug once at the platform layer and watch it propagate.
• Own how we secure AI-assisted development: Claude Code, Cursor, Copilot, MCP servers, agent-authored PRs, sub-agents handling rebases and CI fixes.
• Author and roll out our AI-Assisted Development Security policy: prompt injection defense, MCP scope and credential governance, agent credential inheritance, secret leakage to agent logs, agent-action audit attribution.
• Partner with harness engineering on agent scope declarations, agent identity registration, and the verification hooks that distinguish agent-initiated actions from human-initiated ones in the audit stream.
• Threat model new AI features , agent gateway, MCP connector architecture, AI workflows in the research platform , and ship the controls.
• Scale the threat modeling framework. Pilot with the highest-risk teams, then make it standard for new features and architectural changes.
• Partner with the product security team to build a security training program engineers actually use: secure coding patterns, authentication and authorization fundamentals, prompt injection awareness, how to engage Product Security on a design.
• Embed testable security acceptance criteria, agent scope declarations, and verification hooks into the PRD template so services declare their security posture at design time.
• Ensure Layer 1 signal (Code) is consumable by Layers 2-5 (Infrastructure & Contract, Behavioral Intelligence, Adversarial Simulation, and Data Segmentation) and by GRC for compliance evidence.
• Drive MTTR on critical findings under 24 hours, finding precision above 95%, and recurring named classes trending to zero quarter over quarter.
• Support DAST deployment, the API pen test program, and the customer-facing security posture dashboard.
• Coordinate penetration testing, bug bounty intake, and partner threat-intel feeds , translating external attack-pattern disclosures into detections within days, not quarters.
• Act as the primary technical responder for application-layer incidents, agentic behavior anomalies, or third-party integration compromises; leading the forensic investigation, architectural containment, and post-incident hardening requirements.

Benefits

• performance bonus
• equity
• generous benefits program