Sr. Application Security Engineer

Akasa•South San Francisco, CA

1d•$205,000 - $275,000•Hybrid

About The Position

At AKASA, our mission is to build the future of healthcare with AI. As the leading provider of generative AI solutions for the healthcare revenue cycle, we help health systems comprehensively capture and communicate the full patient clinical journey. By empowering health systems to streamline their operations, they can focus on what matters most - delivering quality patient care. We have raised over $205M in funding from investors such as Andreessen Horowitz, BOND, and Costanoa Ventures. This is the most exciting time to join AKASA. Revenue bookings for our new AI-native product suite have grown over 20x since launching in 2024. In this time, we have broken our record for the largest deal in company history three times consecutively. This growth is driven by the massive improvement we are generating for our customers across clinical quality and documentation accuracy, both top priority areas for health system leaders. Our deployments have been recognized nationally as "one of the most comprehensive real-world uses of GenAI in healthcare finance to date" ( link ). Our customer base represents more than $120B+ in net patient revenue and includes the most innovative health systems in the country, like Cleveland Clinic, Duke, Stanford, and Johns Hopkins. Some of our recent recognitions include being named one of America's Top Startup Employers 2026 by Forbes, #1 most promising healthcare RCM startup of 2025 by Black Book Market Research, and one of the fastest-growing GenAI startups to watch by AIM Research. Our CEO was ranked among the “Top 50 Healthcare Technology CEOs” by the Healthcare Technology Report, and we have been certified as a “Great Place to Work” for the past 6 years in a row. We’re building on this momentum to redefine what’s possible in healthcare. We’re looking for exceptional people to help us accelerate that reality. The opportunity We're looking for a seasoned Application Security Engineer who brings the credibility of a software engineering background and the mindset of a security practitioner. You'll be embedded with our engineering teams, helping us build secure systems from the ground up — not bolted on after the fact. You'll own our application security program, work closely with developers, and be a key voice in shaping how we think about risk across our product and infrastructure.

Requirements

10+ years of experience in software engineering, application security, or a combination of both.
A strong software engineering foundation — you've written production code and understand how applications are built, not just how they break.
Meaningful experience in application security, whether that came from transitioning out of a development role or through dedicated AppSec positions.
Hands-on experience with common vulnerability classes (OWASP Top 10, injection attacks, authentication flaws, insecure deserialization, etc.) and how to fix them.
Experience conducting or coordinating threat modeling, security architecture reviews, and secure code reviews.
Proficiency in one or more modern programming languages (Python, Go, Java, TypeScript, etc.) — enough to read, understand, and critique production code.
Familiarity with cloud security (AWS, GCP, or Azure) and container/Kubernetes security practices.
Experience integrating security tooling into CI/CD pipelines (GitHub Actions, Jenkins, etc.).
Working knowledge of authentication and authorization standards (OAuth 2.0, OIDC, SAML, RBAC).
Familiarity with API security, including REST and GraphQL attack surfaces.
You can communicate complex security concepts clearly to engineers and non-technical stakeholders alike.
You default to collaboration over confrontation — you know that security only works when developers are on your side.
You're comfortable with ambiguity and can prioritize effectively in a fast-moving environment.
You care about the mission — the systems you're protecting store and transmit sensitive patient data, and that responsibility motivates you.

Nice To Haves

Experience in a healthcare or health-tech environment.
Familiarity with HIPAA Security Rule requirements and how they translate to engineering controls.
Exposure to compliance frameworks such as SOC 2 Type II, HITRUST, or FedRAMP.
Experience building or maturing a security program at a startup or high-growth company.
Relevant certifications (OSCP, CSSLP, GWEB, CEH, or similar) — valued but not required.

Responsibilities

Own and evolve our application security program, including threat modeling, secure code review, SAST/DAST tooling, and penetration testing coordination.
Partner closely with engineering squads throughout the SDLC to identify and remediate vulnerabilities early — acting as a security champion, not a gatekeeper.
Lead security design reviews for new features and architecture changes, ensuring security requirements are well-understood and actionable.
Develop and maintain a vulnerability management program, prioritizing findings based on risk and driving remediation to closure.
Build and deliver security training and awareness programs tailored to developers — leveraging your engineering background to make guidance practical and relevant.
Evaluate and implement security tooling across the CI/CD pipeline (SAST, SCA, secret scanning, container scanning, etc.).
Support third-party penetration tests and bug bounty programs, including triage, validation, and remediation tracking.
Contribute to compliance efforts related to HIPAA, SOC 2, and other relevant frameworks, particularly as they relate to application and data security.
Monitor the threat landscape and proactively surface emerging risks relevant to our technology stack and industry.
Develop applications that run securely in cloud and containerized environments.