Senior AI Security Engineer

• Bachelor's degree in Computer Science, Information Security, Engineering, or equivalent practical experience
• Hands-on application security experience across the software development lifecycle
• Strong understanding of common application vulnerability classes and mitigations, including the OWASP Top 10, and of secure coding principles
• Practical experience with application security tooling such as SAST, DAST, SCA, and secrets scanning, and integrating it into CI/CD
• Working knowledge of at least one programming language (e.g., Python, Java, C#, JavaScript/TypeScript, or Go) sufficient to read code and assess vulnerabilities
• Experience with threat modeling and secure design review methodologies
• Understanding of DevOps/DevSecOps practices, CI/CD pipelines, and secure-by-design principles
• Familiarity with cloud application security concepts across at least one major cloud platform such as Azure, AWS, or GCP
• Experience participating in several production projects or engineering teams
• Ability to work closely with developers, architects, QA engineers, DevOps, product, and security teams, and to influence without owning the codebase
• Ability to follow, maintain, and improve defined security processes
• Practical understanding of AI-assisted productivity and automation beyond basic chatbot usage, including building or configuring AI agents, integrating LLMs with tools, prompt engineering, and secure AI tool usage
• Good communication skills to explain security risks, technical decisions, and remediation plans to technical and non-technical stakeholders

Nice to have:

• Experience with application security platforms and tools such as Snyk, Checkmarx, Veracode, SonarQube, Semgrep, GitHub Advanced Security, Burp Suite, OWASP ZAP, or similar
• Experience with software supply chain security, including SBOM, SLSA, Sigstore, and dependency and artifact integrity controls
• Experience with Infrastructure as Code and policy-as-code security tools such as Terraform, Bicep, ARM templates, OPA, Checkov, or Trivy
• Experience with container and Kubernetes security, including image scanning, registries, runtime protection, and network policies
• Experience with API security, secrets management (e.g., HashiCorp Vault, Azure Key Vault), and microservice security patterns
• Understanding of at least one compliance or security framework such as ISO 27001, NIST, CIS Benchmarks, PCI DSS, HIPAA, SOC 2, or SOX
• Experience integrating security findings with SIEM/SOAR, ticketing, and vulnerability management workflows
• Experience with AI/LLM platforms or frameworks such as Azure OpenAI, Azure AI Foundry, Amazon Bedrock, Microsoft Copilot Studio, LangChain, or AutoGen
• Understanding of AI and LLM application security risks, including prompt injection, insecure output handling, data leakage, excessive agency, insecure tool use, model governance, and AI supply chain risks
• Security certifications such as CSSLP, GWAPT/GWEB, OSCP/OSWE, CISSP, CISM, CCSP, or AI-related certifications like AI-900 or AI-102

• Embed security into the full software development lifecycle and drive shift-left and secure-by-design practices across engineering teams
• Perform and facilitate threat modeling, architecture security reviews, and design reviews for applications, services, and APIs
• Conduct secure code reviews (manual and AI-assisted) and advise developers on secure coding patterns and remediation
• Implement, configure, tune, and operate application security tooling, including SAST, DAST, IAST, SCA, secrets scanning, and IaC scanning, integrated into CI/CD pipelines
• Triage, validate, prioritize, and reduce false positives in security findings, and partner with development teams to track issues through to remediation
• Define, implement, and maintain security gates and policies in CI/CD pipelines that balance risk reduction with developer velocity
• Secure the software supply chain, including dependency and open-source risk management, SBOM generation, artifact integrity and signing, and build pipeline hardening
• Support and coordinate application penetration testing and validate fixes for identified vulnerabilities
• Drive secrets management, secure configuration, API security, container and image security, and microservice security practices
• Establish and run a security champions program, and develop and deliver secure-coding training, guidelines, and reusable security patterns for developers
• Define and maintain application security standards, baselines, and policy-as-code, and contribute to vulnerability management and risk-acceptance processes
• Build, deploy, and maintain AI-assisted automations and agentic workflows that reduce manual effort across daily application security activities
• Build and integrate AI agents and LLM-backed automations into the SDLC and CI/CD pipelines, connecting models to scanners, code hosts, ticketing, and security tooling
• Develop, test, and maintain reusable prompts, structured-prompting patterns, and prompt templates for recurring AppSec tasks
• Implement retrieval over codebases, security standards, and remediation guidance so AI assistants answer from current, authoritative internal context
• Build evaluation, validation, and human-in-the-loop checkpoints into AI-assisted AppSec workflows
• Implement security and privacy controls for AppSec AI usage, including least-privilege access, prompt-injection resistance, and auditability
• Design, implement, and operate security controls for AI- and LLM-powered application features aligned to the OWASP Top 10 for LLM Applications
• Define and enforce guardrails for secure adoption of AI in product engineering and advise development teams on building AI features securely