You'll own application security at a company where the app layer is the highest-priority security surface. This is not a scan-and-triage role. You'll embed in the development lifecycle, review code for exploitable flaws, build security tooling into CI/CD, and drive vulnerability remediation across a platform serving 300K+ experts and enterprise clients processing sensitive AI training data.
We use AI heavily in our own security work. You should be comfortable building alongside AI code-gen tools, using LLMs to accelerate code review and threat modeling, and automating away the repetitive work that slows AppSec programs down. If you'd rather write a CodeQL query than file a Jira ticket, you'll fit in here.
We're in-person five days a week at our SF headquarters, with first Fridays remote.
What You'll Build:- Security review workflows embedded in the SDLC - PR-level analysis that catches auth bugs, injection flaws, and business logic errors before they ship
- SAST/DAST pipelines integrated into CI/CD - shifting security left without slowing down deploys
- Vulnerability management processes that prioritize by real exploitability, not CVSS score
- Secure coding standards and guardrails that make the safe path the easy path for 50+ engineers
- Threat models for new features and architecture changes - especially around AI data pipelines, payment flows, and multi-tenant boundaries
- Bug bounty program operations - triaging HackerOne reports, validating findings, and driving fixes to closure
What We're Looking For- You've found and fixed real vulnerabilities in production applications - not just run scanners
- Deep understanding of web application security: OWASP Top 10 is baseline, you think in terms of attack chains and business logic flaws
- Strong in at least one of Python, TypeScript, or Go - you can read a PR and spot the auth bypass
- Experience building or tuning SAST/DAST tooling (Semgrep, CodeQL, Snyk, Burp, or similar)
- You understand modern web frameworks, APIs, and authentication patterns well enough to threat model them
- Experience managing a vulnerability pipeline - from discovery through prioritization to verified remediation
- 5+ years of professional experience in application security, security engineering, or software engineering with a strong security focus
Bonus Points- Experience running or triaging a bug bounty program (HackerOne, Bugcrowd)
- Offensive security skills - you've done penetration testing and can think like an attacker
- Experience securing AI/ML applications - model serving APIs, training data pipelines, prompt injection defense
- Familiarity with supply chain security - dependency scanning, registry firewalls (Socket, Snyk)
- You've built custom security tooling that a team still uses
- Contributions to open source security projects or published vulnerability research
