Skip to content
BraintrustBraintrustNew York, NY

Application Security Engineer

Application Security Engineer reviews code, builds threat models, owns security tooling, and leads AI/LLM-specific security initiatives like prompt injection defenses and sandboxing in a high-availability platform. Requires 5+ years experience and strong skills in TypeScript/Python/Go.

Salary not listed
On-site5+ YOESecurity Engineering

About the role

What you'll do

  • Drive secure design across the platform: lead threat models for new features, review architecture proposals, and partner with product and backend engineers to ship features that are secure by default
  • Review code across our TypeScript, Python, and Go services, our open source tracing libraries, and our model proxy — and find the bugs others miss
  • Build the paved road: authn/authz primitives, RBAC and tenancy isolation patterns, secret handling, safe data pipelines, and sandboxed code execution for user-supplied JavaScript and Python snippets
  • Own our SAST, DAST, SCA, and secret-scanning tooling end-to-end, keeping signal-to-noise high enough that engineers actually fix what you ship
  • Run our vulnerability management program and triage external bug bounty reports; close the loop with durable fixes, not point patches
  • Lead AI-specific security work: prompt injection defenses, model proxy abuse detection, agent and tool-use sandboxing, data-exfiltration controls in multimodal pipelines, and security for the eval workflows our customers run
  • Partner with our open source maintainers on the security of libraries that get embedded inside customer applications
  • Use agentic coding workflows to scale yourself: automated code review, exploit prototyping, control validation, and IR triage

Ideal candidate credentials

  • 5+ years in application security, product security, or backend engineering with a security focus — you've shipped real code and reviewed a lot of it
  • Strong code reading and writing skills in at least two of TypeScript/Node.js, Python, Go, or Rust
  • Deep knowledge of common web and API vulnerability classes and the architectural patterns that prevent them — not just OWASP Top 10 trivia
  • Track record of building secure-by-default libraries, frameworks, or services that other engineers actually adopt
  • Hands-on experience with authn/authz design, multi-tenant data isolation, and secrets/key management at scale
  • Comfortable with the realities of a high-availability data platform: real-time pipelines, ingestion at scale, semi-structured data, Postgres, Redis, AWS
  • A clear point of view on AI/LLM security — prompt injection, agent abuse, tool-use sandboxing, model proxy threats — and ideally hands-on experience defending against them
  • Daily user of agentic coding tools and excited to push the frontier of how AppSec gets done with them
  • Clear communicator who documents decisions, writes tickets engineers want to pick up, and lifts the team's security awareness without becoming a bottleneck

Bonus: prior experience with LLM red-teaming, agent sandbox research, or shipping security-focused open source libraries

Benefits

  • Medical, dental, and vision insurance
  • Daily lunch, snacks, and beverages
  • Flexible time off
  • Competitive salary and equity
  • AI Stipend

Skills

TypeScriptNode.jsPythonGoRustSASTDASTScaPostgresRedisAWSRBACOwaspPrompt Injection DefensesAgent Sandboxing
Forus

Security Program Manager

ForusNew York, NY

Own end-to-end compliance programs (SOC 2, HIPAA, HITRUST), build customer trust function, implement automation, and partner with engineering on controls for a healthcare AI platform handling protected health information.

Salary not listed
On-site4+ YOESecurity Engineering
Anthropic

Safeguards Enforcement Analyst, Account Takeover & Credential Abuse

AnthropicSan Francisco, CA +2

Safeguards Enforcement Analyst focused on account takeover and credential abuse. Investigate compromise incidents, design remediation workflows, partner with engineering on detection, enforce AI usage policies, and develop scalable enforcement programs for platform safety.

245k – 285k/yr
HybridSecurity Engineering
Zocdoc

Application Security Engineer

ZocdocUnited States

Application Security Engineer partnering with engineering teams to embed security into the SDLC, triage SAST/SCA findings, provide remediation guidance on OWASP issues, maintain security docs/playbooks, support governance/audits, and integrate GenAI tools while building AI governance guardrails.

100k – 140k/yr
RemoteSecurity Engineering
Cloudflare

Detection & Mitigation Engineer

CloudflareUnited States

Security Detections Engineer identifying attacker TTPs, building real-time detections, and mitigating threats/abuse across Cloudflare's global platform using data analysis, SQL, scripting, and threat intelligence. Requires strong analytical and communication skills.

Salary not listed
HybridSecurity Engineering
Mintlify

Security & Compliance Operations Manager

MintlifySan Francisco, CA

Own and run Mintlify's end-to-end security and compliance programs (SOC 2, ISO 27001/42001, GDPR, Microsoft SSPA) as the first dedicated GRC Program Manager. Administer Drata, manage audits/vendors/evidence, handle customer-facing compliance, and coordinate with engineering.

120k – 180k/yr
On-site3+ YOESecurity Engineering