AI AppSec / AiSec Engineer

Mindbox is a tech-driven company connecting top IT talents with technology projects for leading enterprises across Europe. The role is part of the Cybersecurity Technology & Engineering team, focusing on advancing application and AI security capabilities by embedding secure-by-design principles within software development lifecycles and addressing emerging security challenges associated with AI-powered solutions and ML pipelines.

• Strong background in application security engineering, including secure code reviews and vulnerability analysis.
• Expertise in OWASP Top 10, API security, OAuth2.0/JWT, and understanding of AI/ML-specific security risks (OWASP LLM Top 10).
• Ability to conduct threat modelling sessions (e.g., STRIDE, PASTA) and articulate risk findings.
• Hands-on experience securing CI/CD pipelines and integrating security tooling (e.g., Checkmarx, SonarQube, TruffleHog, Aqua, Tenable, Nessus).
• Strong scripting skills in Python for automation and security tooling.
• Familiarity with security frameworks and standards (NIST, ISO 27001) and applying them in regulated environments.
• Analytical mindset with an ability to present evidence-based risk assessments to both technical and non-technical audiences.
• Excellent communication and collaboration skills; ability to mentor and advise distributed engineering teams.
• Experience working in an Agile environment with DevSecOps practices.

Nice to have:

• Practical experience applying OWASP LLM Top 10 in real-world AI/ML assessments.
• Understanding adversarial ML techniques (model evasion, data poisoning, inversion attacks).
• Experience with Software Composition Analysis (SCA) and open-source vulnerability scanning.
• Familiarity with penetration testing activities at application and API levels.
• Certifications such as CSSLP, OSCP, CEH, or equivalent.
• Hands-on experience with secure configurations on cloud platforms (GCP, Azure).
• Prior exposure to regulated sectors such as financial services is an advantage.

• Perform secure code reviews, delivering actionable and developer-friendly feedback to global engineering teams.
• Act as a security consultant: identify insecure coding patterns, deprecated protocols, and compliance gaps; define migration paths to modern secure alternatives.
• Evaluate new security solutions through Proof of Concept (POC) and Proof of Value (POV) engagements, applying structured methodologies to validate effectiveness before adoption.
• Apply scientific rigor in vulnerability analysis, using metrics and statistical modelling to assess and communicate security risks objectively.
• Conduct comparative evaluations of large language models (LLMs) for security applications, including vulnerability detection, fix generation, and security automation.
• Assess and secure AI/ML pipelines and generative AI integrations, mitigating risks such as prompt injection, data poisoning, and model abuse.
• Define security configuration standards for AI tools and platforms, ensuring compliance with secure-by-default principles.
• Review and evaluate AI-assisted development tooling (e.g., GitHub Copilot), measuring risks and testing detection accuracy.
• Provide technical mentorship and contribute to knowledge sharing and security capability uplift across engineering teams.
• Collaborate on developing reusable security patterns, policies, and guidance for embedding security in new product and service development.