Senior Lead Application Security Engineer

About The Position

Requirements

• Application security fundamentals: secure SDLC, threat modeling, OWASP Top 10, secure code review, and remediation across multiple languages and stacks.
• Agentic and AI security: securing LLM- and agent-based systems (prompt injection, tool/MCP security, sandboxing, guardrails), plus building autonomous agents that perform security work. OWASP Top 10 for LLMs and MITRE ATLAS a strong asset.
• DevSecOps and pipeline security with Azure DevOps: SAST, SCA, DAST, secrets and IaC scanning, SBOM generation, container signing and attestation, and pipeline access controls.
• Security scanning and tooling: Mend (SCA/SAST), Azure Defender for Cloud, and MDR/SOC platforms.
• Hands-on with modern agentic and AI-security tooling: agentic coding and security assistants (e.g. Claude Code with custom agent skills and MCP), AI-assisted code analysis and autofix (e.g. Semgrep, Snyk / DeepCode AI, GitHub Copilot Autofix / CodeQL), LLM and agent red-teaming (e.g. garak, Microsoft PyRIT, Promptfoo), and runtime guardrails and model supply-chain protection (e.g. Lakera Guard, NVIDIA NeMo Guardrails, Protect AI).
• Cloud-native security on Azure Kubernetes Service (AKS): RBAC, network policies, admission controllers (e.g. Kyverno), workload identity, and cluster hardening.
• Identity and access management: Keycloak, Azure Active Directory, Managed Identities, and secrets management (e.g. CSI secrets driver, Key Vault).
• Infrastructure-as-code: Bicep or Terraform for security configuration, policy-as-code, and drift management.
• Compliance frameworks and automated evidence collection: SOC 2, ISO 27001, and Cyber Insurance requirements.
• Scripting and automation (e.g. Python, PowerShell, or C#) to build security tooling and orchestrate agents.
• You think proactively: you anticipate how systems will be attacked and build defenses ahead of the threat, rather than waiting to respond.
• You are a do-er, not just an advisor: you implement the fixes yourself and measure success by what ships and what is provably more secure, not by recommendations handed to someone else.
• You demonstrate strong ownership of technical outcomes and a commitment to quality.
• You apply sound engineering judgment when making design and implementation decisions, balancing security rigor with developer velocity.
• You communicate clearly and effectively with both technical and non-technical stakeholders.
• You continuously develop technical and domain expertise in application security, cloud security, and the rapidly evolving field of agentic/AI security.
• You collaborate effectively within cross-functional, outcome-oriented teams.
• You leverage AI to accelerate projects and improve overall quality of output, and you are excited to push the frontier of what agentic defense can do.

Nice To Haves

• OWASP Top 10 for LLM Applications
• MITRE ATLAS

Responsibilities

• Embed application security into the Cloud Platform and across all CI/CD pipelines, making secure-by-default the path of least resistance for every R&D team.
• Design, build, and operate AI-driven security agents that proactively scan, triage, and remediate vulnerabilities across source code, dependencies, containers, and infrastructure-as-code, turning point-in-time reviews into continuous, autonomous coverage.
• Establish secure software development lifecycle (SSDLC) practices, threat modeling, and secure-coding standards, and integrate automated enforcement (SAST, SCA, DAST, secrets scanning, IaC scanning) as native pipeline gates rather than bolt-on checks.
• Lead the security of our own agentic systems: defend against prompt injection, tool/MCP abuse, data exfiltration, excessive agency, and supply-chain risk in line with frameworks such as the OWASP Top 10 for LLM Applications and MITRE ATLAS.
• Drive proactive vulnerability management: remediate HIGH and CRITICAL CVEs across platform infrastructure and container images in line with contractual and compliance commitments, and automate the toil out of it.
• Partner with engineering teams to harden Azure Kubernetes Service (AKS) workloads, identity and access (Keycloak, Azure AD, Managed Identities, workload identity), network segmentation, and secrets management.
• Contribute security evidence and controls to compliance programs (SOC 2, ISO 27001, Cyber Insurance), and automate evidence collection and continuous control monitoring with agentic tooling.
• Define and maintain security runbooks, detection logic, and incident response procedures, and build the agents that execute and accelerate them.
• Act as the security skill set within the platform team raising the bar through code review, pairing, and sharing pragmatic, developer-friendly guidance.
• Contribute to improving the Agentic Operating Model through development of security-focused agent skills, prompts, and tooling that other teams can reuse.

Benefits

• Flexible work opportunities
• Hybrid work opportunities