Lead Application Security Engineer

What you'll do

• Perform application security testing across Web, API, Mobile (Android & iOS), TV and Cloud services, including vulnerability assessments and penetration testing
• Validate and triage security findings through exploit verification and risk-based severity assessment
• Own and operate CI/CD security controls, including SAST, DAST, SCA, secrets scanning, and IaC scanning
• Build and maintain security gates (e.g., Checkmarx or equivalent) with a focus on automation, accuracy, and developer usability
• Conduct manual security code reviews for APIs and services written in Java, Python, and Node.js
• Review application designs for authentication, authorization, data protection, and API security best practices
• Automate security workflows using scripts and APIs to standardize testing and reduce manual effort
• Partner with engineering teams to drive timely, risk-appropriate remediation and prevent repeat vulnerabilities
• Apply AI Secure SDLC practices for LLM-based features, including prompt design, tool/function usage, and safe integration patterns
• Assess and mitigate OWASP LLM Top 10 risks
• Review and maintain secure prompt templates, including system prompt hardening and context scoping
• Implement practical AI guardrails (output validation, policy checks, basic jailbreak and abuse detection)
• Perform AI red teaming and adversarial testing using tools such as Garak, PyRIT, and custom test cases
• Review RAG implementations to ensure authorization-aware retrieval, tenant isolation, and reduced data leakage risk
• Identify and reduce sensitive data exposure risks in embeddings and ingestion pipelines
• Conduct AI-focused threat modeling using OWASP LLM Top 10, STRIDE, and MITRE ATLAS as reference frameworks

Requirements

• Minimum 7 years of experience in Application Security, Penetration Testing, DevSecOps, or Security Engineering
• Proven hands-on ability with SAST/DAST/SCA, CI/CD security gates, and vulnerability triage/remediation workflows
• 2–3 years’ experience building and managing security gating in Checkmarx (or equivalent)
• 2–3 years’ experience performing manual security code review (APIs/services; common languages: Java/Python/Node.js)
• Familiarity with OAuth2, OIDC, JWT, mTLS, API gateways, and service-to-service identity
• Strong knowledge of OWASP Top 10 Mobile, OWASP Top 10 LLM
• Strong experience with common testing tools: Burp Suite, OWASP ZAP, SQLMap, Kali (and similar)
• Scripting/automation skills using Python, plus Bash/PowerShell familiarity
• Working knowledge of Docker/Kubernetes, cloud-native patterns, and secrets management basics
• Solid communication skills—ability to write clear findings, influence engineering decisions, and partner effectively
• Hands-on familiarity with LLM integrations and Python AI ecosystems (e.g., LangChain / orchestration frameworks)
• Understanding of RAG pipelines and vector database concepts (e.g., Pinecone, FAISS, Milvus or equivalent)
• Ability to design/validate guardrails (policy allow/deny, jailbreak detection, output validation, safe tool calling)
• Familiarity with AI security testing patterns (prompt injection testing, data leakage testing, agent/tool abuse testing)

Tech stack

Benefits