Senior Application Security Engineer

About The Position

Requirements

• Developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security, and can connect these areas to drive a holistic security approach.
• Hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation.
• Ability to read, understand, and review source code to identify security issues, with ideally, a particular focus on JavaScript and TypeScript codebases.
• Strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC).
• Experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns.
• Experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams throughout the development lifecycle.
• Collaborated closely with engineering teams to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations, and support the implementation of effective fixes for both technical and non-technical audiences.
• Self-motivated, proactive, and take strong ownership of your work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindset.

Nice To Haves

• Experience in JavaScript and TypeScript, including the ability to read, understand, and reason about modern web application codebases.
• Experience working with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities, to help secure and operate internet-facing applications.
• Experience testing and securing GraphQL, REST APIs, including understanding common GraphQL/REST-specific attack vectors and security considerations.
• Experience or a strong interest in Web3 security testing, including assessing smart contracts, blockchain-based applications, or Web3 integrations.
• An interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implications.

Responsibilities

• Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process.
• Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate.
• Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation.
• Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls.
• Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance.
• Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack.
• Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization.
• Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation.
• Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements.

Benefits

• Competitive salary package
• Equity package
• Pay for performance equity bonus
• Moonshot award
• Unlimited holidays
• Hybrid working schedule
• Private Healthcare benefits
• Enhanced parental leave
• Annual training budget
• Home office setup allowance
• Remote working allowance
• Monthly budget to spend on our products and zero fee crypto transactions
• Employee referral programme
• Regular remote company offsites