Staff+ Application Security Engineer - M&A

AnthropicSan Francisco, NY
Hybrid

About The Position

Anthropic's Application Security team secures the systems that build, serve, and increasingly are Claude. As Anthropic's footprint grows, that mandate now extends to companies and codebases acquired through mergers and acquisitions. This role establishes that function, owning security due diligence and secure integration for Anthropic's acquisitions. The engineer will assess a target's security posture pre-close, write the security risk readout for leadership, and post-close, bring acquired systems up to Anthropic's security standards. This is the first dedicated role for M&A security, and the engineer will formalize the playbook, risk model, and tooling to make the process repeatable. This is an AppSec role first, with the engineer being an active member of the Application Security team, participating in the same rituals, on-call rotations, and using the same tooling as engineers securing Anthropic's own product surfaces. The expectation is to use Claude as a primary tool and automate repeatable parts of diligence and integration. When deal flow is quiet, the engineer will contribute to core AppSec projects; when active, M&A will be the priority. The role is assessment-heavy, operates on confidential, time-sensitive work, and requires the ability to quickly assess unfamiliar codebases under pressure to produce clear risk pictures for leadership.

Requirements

  • Hands-on application and infrastructure security experience, including cloud and containerized environments.
  • Demonstrated ability to rapidly assess an unfamiliar codebase or architecture and produce a clear, prioritized risk assessment for a non-security audience.
  • Production-quality coding ability in at least one of Python, Go, Rust, or TypeScript.
  • Practical threat-modeling and vulnerability-identification skills.
  • Comfort operating with high autonomy, ambiguity, and tightly-held confidential context.
  • Clear written and verbal communication skills across varied audiences, including executives, legal and corporate development partners, and engineering counterparts.

Nice To Haves

  • 7+ years in application security, security consulting, or security architecture.
  • Prior M&A security due diligence, third-party security assessment, or technical due diligence experience.
  • Experience standing up or scaling SAST/DAST, bug bounty, or vulnerability management coverage across multiple codebases.
  • Track record of building security automation or tooling rather than relying solely on manual review.
  • Familiarity with using LLMs as a core part of your security workflow.
  • Experience securing agentic, code-execution, or LLM-integrated systems.

Responsibilities

  • Lead pre-close security due diligence on prospective acquisitions, including coordinating external penetration testing, threat modeling target architectures, assessing security controls, and delivering security risk readouts to leadership.
  • Drive post-close security integration, including standing up static and dynamic analysis coverage on acquired codebases, tracking high- and critical-severity remediation, folding acquired assets into bug bounty scope, and onboarding repositories to Anthropic's automated vulnerability remediation and reporting systems.
  • Coordinate with adjacent security engineering teams (supply chain, cloud, corporate security, detection & response) on their integration responsibilities.
  • Collaborate with a wide set of stakeholders, including corporate development, legal, security leadership, and engineering teams inheriting acquired systems internally, as well as engineering and security counterparts at target companies externally, translating between them and ensuring the security workstream is clear to all parties.
  • Formalize and scale Anthropic's M&A security playbook, including the risk-scoring model, diligence runbook, and integration checklist, and automate as much of it as possible using Claude-powered tooling.
  • Share the team's operational on-call rotation, including bug bounty escalations, launch consults, and incident response, with flexibility during periods of active deal work.
  • Contribute to core AppSec projects between deals, such as secure design reviews, threat modeling for agentic systems, and the team's security automation roadmap.

Benefits

  • Competitive compensation and benefits
  • Optional equity donation matching
  • Generous vacation and parental leave
  • Flexible working hours
  • A lovely office space in which to collaborate with colleagues
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service