Skip to content
RetoolRetoolSan Francisco, CA

Application Security Engineer

Application Security Engineer identifies systemic security gaps, builds tooling and automation like custom linters and static analysis, conducts code reviews and threat modeling, and drives vulnerability remediation in a TypeScript/Python codebase. Requires 5+ years hands-on AppSec experience and strong engineering depth.

232k – 318k/yr
On-site5+ YOESecurity Engineering

About the role

Responsibilities

  • Identify systemic security gaps in our codebase and engineering workflows, and work with engineering teams to design and ship durable solutions; you’ll drive solutions, not just surface problems
  • Build security tooling, automation, and code-level controls that address classes of vulnerabilities, including custom linters, static analysis rules, and automated checks, shifting the cost of catching issues left rather than handling them one at a time or after they’ve reached production
  • Conduct in-depth code reviews and security design reviews for significant product initiatives, with the technical depth to engage meaningfully with architectural tradeoffs rather than just flag issues for others to resolve
  • Drive threat modeling and security assessments for new features, and translate security requirements into practical engineering guidance that developers can actually act on
  • Contribute to the team’s evolving approach to security as AI-assisted development scales internally, including how faster and higher-volume code production changes how we find, prioritize, and fix risks
  • Triage, track, and drive remediation of vulnerabilities with product engineering teams, and contribute to our penetration testing and bug bounty programs

Requirements

  • 5+ years of hands-on experience in application security and security engineering: you’ve built things, not only assessed them, and your background is not mainly consulting, audit, or compliance work
  • The ability to operate independently with good judgment in a fast-moving environment: you prioritize well by understanding the needs of the business and our shared objectives, make calls with incomplete information, and know when to move fast versus when to slow down and get it right, or escalate and ask for help
  • Communication that earns trust: you can make security legible to engineers without being preachy, and you measure your impact by how well you’ve supported the business, not by how many issues you catalogued
  • A track record of shipping security tooling or automation that improved things for more than one team
  • Genuine engineering depth: you can read, reason about, and review code at the level needed to find real bugs and understand their root causes, not just pattern-match to a checklist
  • Comfort working in TypeScript and Python: Retool’s platform is built in TypeScript and our security tooling leans on Python, you’ll need to be productive in both and not just conversant
  • Strong AppSec fundamentals: threat modeling, secure code review, a working understanding of common vulnerability classes and, importantly, how to address them durably rather than symptomatically
  • A pragmatic, signal-oriented relationship with AI tooling: you reach for it where it genuinely sharpens your work, you’re skeptical where it doesn’t, and you’re thinking about what developer-side AI adoption means for how security risk compounds at scale

Nice to Have

  • Offensive security experience like bug bounty, CTF participation, redteam, or pentesting work
  • Experience building or contributing to SAST pipelines, custom static analysis rules, or automated security testing infrastructure
  • Prior experience at a startup or high-growth scaleup, where security programs aren’t fully pre-defined and priorities shift

Compensation

Base pay range: $231,900 – $318,250 per year

Skills

TypeScriptPythonThreat ModelingSecure Code ReviewStatic AnalysisSASTCustom LintersAutomated Security TestingPenetration TestingBug Bounty
OpenAI

Technical Abuse Investigator

OpenAISan Francisco, CA +1

Investigates and disrupts malicious use of OpenAI's AI platform using complex datasets and technical tools. Builds scalable solutions like SQL/Python pipelines to enhance team efficiency; requires 5+ years abuse investigation experience and technical projects.

230k – 425k/yr
Hybrid5+ YOESecurity Engineering
OpenAI

Software Engineer, Scaled Abuse

OpenAISan Francisco, CA

Build and operate backend and data systems for real-time fraud/abuse detection, investigation, and enforcement at OpenAI. Requires 5+ years backend engineering and 2+ years fraud/abuse experience.

230k – 385k/yr
On-site5+ YOESecurity Engineering
OpenAI

Software Engineer, Cyber Frontier

OpenAISan Francisco, CA

Build AI-powered security products and evaluation systems that help trusted defenders respond to cyber threats while ensuring responsible deployment of frontier AI models.

230k – 325k/yr
HybridSecurity Engineering
Anthropic

Technical Cyber Threat Investigator

AnthropicSan Francisco, CA +1

Investigates and disrupts misuse of AI systems for cyber threats like malware and influence operations. Develops detection techniques and intelligence reports, requiring proficiency in SQL, Python, and threat intelligence frameworks.

230k – 290k/yr
HybridSecurity Engineering
OpenAI

Security Engineer, Insider Threat Detection & Response

OpenAISan Francisco, CA

Security Engineer focused on insider threat detection and response, building automated detection workflows, tuning rules, and partnering on investigations for AI infrastructure. Requires 5+ years experience in detection/response, OS/cloud familiarity, and scripting proficiency.

230k – 385k/yr
On-site5+ YOESecurity Engineering