Senior Manager, Application Security

We’re looking for bold, entrepreneurial talent ready to help build something extraordinary — and reshape the future of building products distribution.

QXO is a publicly traded company founded by Brad Jacobs with the goal of building the market-leading company in the building products distribution industry. On April 30, 2025, QXO completed its first acquisition: Beacon Building Products, a leading distributor in the sector.

We are building a customer-focused, tech-enabled, and innovation-driven business that will scale rapidly through accretive M&A, organic growth, and greenfield expansion. Our strategy is rooted in delivering exceptional customer experiences, improving operational efficiency, and leveraging data, digital tools, and AI to modernize a historically under-digitized industry.

What you'll do:

As a Senior Manager, Application Security at QXO , you’ll lead the security strategy for an AI-first engineering organization. You will embed security into CI/CD pipelines, cloud-native architectures, and agentic AI systems while operating as a hands-on technical leader. In the near term, this role is expected to directly participate in architecture reviews, pipeline integration, and AI system security design while building and scaling a high-performing Application Security function that enables innovation without increasing enterprise risk.

• Define and execute QXO’s DevSecOps and Secure AI engineering strategy aligned to enterprise growth and digital transformation objectives.
• Embed automated security controls into CI/CD pipelines, including SAST, DAST, SCA, container scanning, secrets detection, SBOM generation, and infrastructure-as-code validation.
• Design and operationalize secure architecture patterns for APIs, microservices, containers, serverless, and cloud-native applications.
• Partner with engineering and AI teams to secure agentic AI systems, including LLM integration layers, inference endpoints, vector stores, RAG pipelines, orchestration frameworks, and model-to-tool execution pathways.
• Define guardrails to mitigate risks such as prompt injection, jailbreaks, context leakage, hallucinated dependencies, insecure agent execution, and privilege escalation via autonomous systems.
• Ensure AI-generated code and model-integrated features meet secure coding standards and undergo automated validation prior to production deployment.
• Lead application and AI-system vulnerability management, driving measurable reduction in risk and improved remediation velocity.
• Strengthen software supply chain security, including SBOM governance and dependency risk management.
• Build and scale an Application Security / DevSecOps team while fostering a shared security ownership model across engineering.

Preferred Player-Coach Experience (Hands-On Early Phase):

• Direct experience integrating and operating modern AppSec tooling within CI/CD pipelines, including SAST, SCA, container scanning, IaC security, secrets detection, and SBOM generation.
• Strong hands-on capability with secure coding and code review in languages such as Python, Go, TypeScript, or Java, with the ability to guide engineers through remediation and secure design decisions.
• Practical experience securing cloud-native architectures across AWS, Azure, or GCP, including building reusable secure patterns and hardened templates.
• Hands-on work securing AI/LLM systems, including inference endpoints, vector databases, model integration layers, RAG pipelines, and orchestration frameworks (e.g., LangChain, LlamaIndex, or similar).
• Experience testing and mitigating AI system vulnerabilities such as prompt injection, jailbreaks, context leakage, insecure tool execution, hallucinated dependencies, and model misuse risks.
• Experience evaluating and governing AI-assisted developer tools (e.g., GitHub Copilot, Claude Code, Factory AI, Codeium) and validating AI-generated code for security and reliability prior to deployment.
• Familiarity with AI-specific threat modeling methodologies (e.g., STRIDE adaptations for AI systems, MITRE ATLAS) and integrating them into SDLC workflows.
• Proven ability to stand up new security capabilities from the ground up, including tool selection, pipeline automation, documentation, and developer enablement programs.
• Demonstrated credibility working closely with engineers, platform teams, architects, ML/data teams, and product owners to embed security into design and sprint planning.
• Comfort operating as an individual contributor while scaling a team, participating directly in code reviews, pipeline builds, and deep technical reviews.

What you'll bring:

• 8+ years of experience in application security, DevSecOps, cloud security, or secure software engineering.
• 3+ years of experience leading technical teams in high-velocity engineering environments.
• Deep expertise in CI/CD automation, pipeline security, and security-as-code implementation.
• Experience securing cloud-native architectures across AWS, Azure, or GCP environments.
• Strong understanding of secure coding standards, OWASP Top 10, threat modeling, and modern software supply chain risks.
• Experience evaluating, governing, or securing AI-assisted development tools and LLM-powered systems.
• Familiarity with risks unique to AI-enabled systems, including prompt injection, context leakage, model misuse, and autonomous execution control gaps.
• Ability to partner effectively with senior engineering leadership in a fast-scaling, innovation-driven organization.
• Relevant certifications such as CISSP, CSSLP, cloud security credentials, or AI governance certifications preferred.

What you'll earn

• Base pay range: $140,400 - $210,600
• Annual performance bonus
• 401(k) with employer match
• Medical, dental, and vision insurance
• PTO, company holidays, and parental leave
• Paid Time Off/Paid Sick Leave: Applicants can expect to accrue 15 days of paid time off during their first year (4.62 hours for every 80 hours worked) and increased accruals after five years of service.
• Paid training and certifications
• Legal assistance and identity protection
• Pet insurance
• Employee assistance program (EAP)

QXO is an Equal Opportunity Employer. We value diversity and do not discriminate on the basis of race, color, religion, sex, national origin, age, disability, or any other protected status.