Application Security Engineer

### Who you are
- The ideal candidate is a builder who would rather automate a finding than file a ticket, and who can explain a critical vulnerability to a junior developer without making them feel two inches tall
- 3–5 years of dedicated Application Security experience in a SaaS or cloud-native environment
- Hands-on proficiency with at least two of the following: SAST, DAST, SCA, or CSPM tooling (e.g., Snyk, Checkmarx, Semgrep, Wiz)
- Strong working knowledge of CI/CD pipelines (e.g., GitHub Actions, Jenkins, GitLab CI) and the ability to write and maintain pipeline integrations
- Experience with container security (Docker, Kubernetes) and API security patterns (REST, GraphQL)
- Demonstrated ability to communicate technical risk to non-security engineers in a way that drives action, not anxiety
- Experience standing up or maturing a Security Champions program
- Familiarity with cloud-native AWS security services (GuardDuty, Security Hub, IAM Access Analyzer)
- Exposure to threat modeling frameworks (STRIDE, PASTA, or lightweight equivalents)
- Relevant certifications (OSCP, GWAPT, CSSLP) — valued but not required

### What the job involves
- We are seeking a technically hands-on Application Security Engineer to join the Information Security team
- This individual will own the vulnerability management lifecycle across our SAST, DAST, and SCA tooling, integrate security automation into the CI/CD pipeline, perform threat modeling of product and engineering designs, and serve as a trusted advisor to our 300+ person engineering organization
- Own the end-to-end vulnerability management lifecycle: triage, prioritize, and drive remediation of findings from SAST, DAST, and SCA tooling in partnership with engineering squads
- Maintain, optimize, and extend security tooling integrations within the CI/CD pipeline with the goal of automating everything that can be automated
- Launch and run a Security Champions program, including workshops and office hours, to embed security knowledge directly into development teams across multiple geographies
- Act as the application-layer subject matter expert during security incidents, supporting triage, root cause analysis, and remediation
- Partner with Product and Engineering leadership to introduce security touchpoints earlier in the SDLC, including threat modeling and design review processes

### Benefits
- Remote first culture: Work anywhere in the US as long as you have a reliable internet connection.
- Flexible PTO: No accrued hours and no limit on the number of vacation days employees can take each year.
- Medical, dental, and vision: 80-95% employer cost coverage for medical, dental, and vision benefits for employees and dependents. Transparency in coverage.
- Company-wide holidays: 15 annual company-wide holidays including a week long "summer break".
- Weekly "flex time": No internal meetings on Tuesdays and Friday afternoons.
- Paid leave: 12 weeks paid parental leave for all parents, 10 days sick leave, up to 4 weeks bereavement leave.
- Additional time off: 2 volunteer days off, 2 professional development days off.