Skip to content
Trail of BitsTrail of BitsUnited States

Security Engineer, Application Security

Conduct low-level code security assessments, architecture reviews, and threat modeling for client applications. Build custom security tools bridging vulnerability research and application security. Requires manual code review, binary analysis, and programming proficiency in multiple languages.

100k – 200k
Remote5+ YOESecurity Engineering

About the role

What You’ll Achieve

Security Assessment: Conduct comprehensive low-level code security assessments across applications, examining vulnerabilities in system services, access control implementation, inter-process communication, and platform security controls while developing mitigation strategies.

Security Tool Development: Design and implement custom security tools for automated vulnerability detection, focusing on both application-specific and general security testing needs to bridge the gap between vulnerability research and application security.

Architecture Review: Perform detailed architecture reviews and threat modeling of complex software systems and cloud environments, identifying potential security weaknesses in areas such as data flows, authentication mechanisms, and API security while providing remediation guidance.

Client Engagement: Work directly with industry-leading teams to review their application infrastructure and architecture, helping secure their environments through deep technical analysis and recommendations.

Research & Innovation: Contribute to the advancement of application security, developing new methodologies and tools while staying up to date with the latest security developments in both traditional and emerging technology ecosystems.

What You’ll Bring

  • Application security assessment experience. Direct experience conducting low-level code security assessments of complex software, identifying and mitigating application and system-level vulnerabilities. You read the code, not just the scanner output.
  • Manual code review depth. Hands-on experience performing manual code reviews to find vulnerabilities that automated tools miss. You can explain why a bug is exploitable, not just that a tool flagged it.
  • Static and dynamic analysis fluency. Experience using static and dynamic analysis tools as part of a deeper review process, including knowledge of where these tools fall short and how to extend them.
  • Binary analysis and reverse engineering. Experience performing binary analysis and reverse engineering of compiled software. Comfortable with disassemblers, decompilers, and the surrounding tooling.
  • Memory corruption vulnerabilities and mitigations. Demonstrated experience identifying memory corruption vulnerabilities and reasoning about modern mitigations. You understand the exploit primitives, not just the CWE category.
  • System internals and security boundaries. Deep experience reasoning about system internals, IPC, access control implementations, and platform security boundaries in complex software.
  • Architecture review and threat modeling. Experience performing architecture reviews and threat modeling of software systems and cloud environments, identifying weaknesses in data flows, authentication, and API design and proposing realistic remediation.
  • Security tool development. Experience designing and building custom security tools for automated vulnerability detection. You bridge vulnerability research and application security by shipping tools, not just consuming vendor outputs.
  • Programming proficiency across multiple languages. Hands-on experience programming in two or more of Rust, Golang, Kotlin, Swift, Objective-C, JavaScript, TypeScript, Python, Ruby, C, or C++, used for both security analysis and tool development.
  • Communicating findings to technical stakeholders. Experience translating complex security findings into clear, actionable recommendations for engineering and security teams.

Nice to Have

  • Experience with Android, iOS, or macOS system internals
  • Experience contributing to open source security tools, libraries, or research
  • Experience publishing original vulnerability research, CVEs, or technical writeups
  • Experience speaking at security conferences (DEF CON, Black Hat, BSides, OffensiveCon, RECon, etc.)
  • Experience identifying security misconfigurations in cloud environments (AWS, GCP, Azure)
  • Experience collaborating on government-funded security research (DARPA, IARPA, ONR, etc.)

Compensation & Benefits

The base salary for this full-time position ranges from $100,000 to $200,000 excluding benefits and potential bonuses. Various factors influence our salary ranges, including the specific role, level of seniority, geographic location, and the nature of the employment contract. An individual's specific work location, unique skills, experience, and relevant educational background will determine the final offer within this range.

Benefits for full-time employees:

  • Competitive salary complemented by performance-based bonuses
  • Fully company-paid insurance packages, including health, dental, vision, disability, and life
  • A solid 401(k) plan

Skills

RustGoPythonCC++JavaScriptTypeScriptKotlinSwiftObjective-CRubyStatic AnalysisDynamic AnalysisBinary AnalysisReverse Engineering
Zocdoc

Application Security Engineer

ZocdocUnited States

Application Security Engineer partnering with engineering teams to embed security into the SDLC, triage SAST/SCA findings, provide remediation guidance on OWASP issues, maintain security docs/playbooks, support governance/audits, and integrate GenAI tools while building AI governance guardrails.

100k – 140k
RemoteSecurity Engineering
BlackCloak

Security Engineer (Security Operations, Zero Trust)

BlackCloakUnited States

Security Engineer focused on security operations, incident response, and Zero Trust implementation. Designs, deploys, and supports security tools like SIEM, EDR, and Cloudflare; triages alerts, automates responses, and collaborates on cloud/IAM security. Requires 3-5 years experience in cloud-native security engineering.

100k – 140k
Remote3+ YOESecurity Engineering
Harvey

Compliance Analyst

HarveySan Francisco, CA

This Compliance Analyst role at Harvey involves owning and maintaining compliance documentation, coordinating evidence collection, and supporting third-party assessments. The role requires hands-on compliance work, close collaboration with Engineering and Security teams, and a detail-oriented approach to ensure program health and continuous monitoring.

99k – 149k
Hybrid3+ YOESecurity Engineering
Metropolis

Security Engineer II

MetropolisLos Angeles, CA

Security Engineer II responsible for monitoring security alerts, responding to incidents, administering enterprise security tools, and supporting cloud and identity security initiatives. Requires 3+ years in cybersecurity or related fields with strong scripting and troubleshooting skills.

105k – 150k
On-site3+ YOESecurity Engineering
Astra

GRC Program Manager

AstraUnited States

Owns end-to-end execution of GRC programs including SOC 1/2, PCI DSS, and ISO 27001 audits, control design, risk assessments, and vendor management. Partners with engineering to implement technical controls and documentation for scalable compliance in fintech.

95k – 135k
Remote3+ YOESecurity Engineering