Senior Product Security Engineer

Overview: Serve as a senior security engineering resource supporting multiple product and development teams. Lead application and platform security assessments for new features, services, and emerging technologies, including AI-driven solutions. Conduct security testing and vulnerability validation activities, collaborate with engineering teams to remediate findings, and contribute code-based security improvements where appropriate. Manage external vulnerability reporting processes and coordinate risk management, compliance, and audit-related initiatives across the software development organization. Support incident response efforts and participate in an on-call rotation for security events affecting production environments.

Responsibilities:

• Lead Product Security across our SaaS offerings, partnering with product and platform engineering teams on design, code, and remediation
• Own Unified Security Review process for new product launches, vendor evaluations, and AI tooling — including custom penetration tests scoped to each review
• Drive Security Engineering Risk Management Framework, for consistent risk classification and remediation tracking across product
• Lead the Vulnerability Disclosure Program and security bug reporting workflow, from researcher intake through fix
• Drive SOC2 and compliance-related security remediation across product engineering, partnering with R&D leads on architectural fixes
• Provide security review and guardrails for internal AI platforms and coding agents (LLM gateways, prompt/response controls, agent permissioning)
• Participate in a shared on-call rotation for high-severity production security incidents

Qualifications:

• 8+ years of application security engineering experience
• Strong production coding ability in at least one of Java (preferred), TypeScript/JavaScript, Python, or Go — enough to perform deep code review, write proof-of-concept exploits, and contribute fixes directly into product repos
• Building security automation into CI/CD pipelines
• Hands-on penetration testing of production SaaS applications, including custom tests scoped to new product launches
• Threat modeling, secure design reviews, and static/dynamic code analysis across the SDLC
• Identifying and remediating common web application vulnerabilities (OWASP Top 10)
• Experience securing internal AI/LLM platforms and coding agents (model gateways, prompt/response controls, agent permissioning)
• Experience in Web3, Blockchain or Digital Assets (nice to have, not required)
• Experience building AI workflows, agents, and guardrailing (nice to have, not required)

Tech Stack:

• Cloud and containers: AWS, GCP, Kubernetes (EKS/GKE)
• Infrastructure-as-Code: Terraform
• Security tooling: Wiz, SonarCloud, Burp, Cloudflare
• CI/CD and source control: GitHub, GitHub Actions, Artifactory and related build/deploy tooling
• Languages and scripting: Java, JavaScript, Python, Go
• AI Coding Agents, Tooling, Systems