Mid-level AppSec Vulnerability Management Engineer who identifies application vulnerabilities, manages SBOM and supply chain security, and drives compliance tracking for SOC 2, ISO 27001, and PCI-DSS. Requires 5+ years in AppSec/DevSecOps with strong coding skills in JS/TS, Python, and Go.
210k – 270k/yr
Hybrid5+ YOESecurity Engineering
About the role
What You'll Do
Core Responsibilities
Vulnerability Scanning & Triage: Perform periodic application security scanning activities. Review results and prioritize flaws based on CVSS scores, real-world exploitability, and system exposure.
Compliance-Driven Tracking: Track, document, and manage vulnerabilities according to strict compliance SLAs (e.g., SOC 2, ISO 27001, PCI-DSS). Maintain audit-ready evidence of remediation timelines and exception approvals.
Executive Reporting & Alerting: Escalate and report critical exposures directly to the CISO and senior leadership. Maintain dashboards and alerting mechanisms that visualize vulnerability status, risk trends, and compliance posture.
Software Supply Chain Security: Ownership of the organization's Software Bill of Materials (SBOM). Continually update SBOM inventories to ensure compliance with modern regulatory requirements and dependency tracking. Help Replit mature through various SLSA levels for supply chain security.
Remediation Collaboration: Partner with development teams to provide clear mitigation paths. Review, write, and patch code directly when necessary to resolve security flaws.
Tooling Integration: Configure and tune automated security testing tools within CI/CD pipelines to reduce false positives for engineering teams.
Incident Response Support: Assist Incident Response teams during active breaches or security incidents. Help develop and implement immediate, real-time code or infrastructure countermeasures.
Required Skills & Experience
5 years of experience in Application Security, DevSecOps, or Software Engineering roles.
Solid foundational experience working in a software development capacity.
Ability to read, understand, and safely patch security flaws in JavaScript/TypeScript, Python, and Go.
Strong familiarity with build systems, package managers, and compilation workflows across multiple languages and frameworks.
Hands-on experience operating SAST, SCA, and Secret Scanning tools (such as Snyk, Socket, Wiz Code, Semgrep, or Checkmarx).
Understanding of how vulnerability management maps to security compliance frameworks like SOC 2, ISO 27001, or NIST.
What We Value
Systems Thinking: The ability to see the "big picture" and understand how security decisions impact the entire stack.
Technical Influence: The ability to drive technical alignment across the organization through expertise and collaboration rather than direct authority.
Autonomy: Comfortable leading major technical initiatives and driving outcomes with minimal oversight.
Problem-Solving Mindset: A passion for breaking down complex security challenges into elegant, scalable engineering solutions.
Mid-level Infrastructure Vulnerability Management Engineer responsible for cloud security posture, IaC scanning, container vulnerability management, and compliance tracking across multi-cloud environments. Requires 5+ years in cloud security/DevSecOps with deep GCP expertise.
210k – 270k/yr
Hybrid5+ YOESecurity Engineering
Software Engineer - Security
PerplexitySan Francisco, CA
Builds security tools, automations, and AI agents to enhance detection, response, vulnerability management, and overall security posture. Requires 4+ years experience in software engineering with security focus, proficiency in Python/Go/TypeScript, and familiarity with SIEM/EDR/cloud systems.
210k – 385k/yr
On-site4+ YOESecurity Engineering
Security Engineer, Cloud
RampNew York, NY +1
Build and enhance cloud security infrastructure, drive security roadmap, remediate issues, and partner with teams for secure deployments. Requires 5+ years software experience, 3+ years AWS with Terraform.
211k – 291k/yr
Hybrid5+ YOESecurity Engineering
Model Policy Manager
OpenAISan Francisco, CA
Defines and maintains policies for AI model behavior in high-risk domains like agentic systems and user safety. Collaborates with research, engineering, and product teams to operationalize policies into measurable safeguards using empirical data and red-teaming.
207k – 295k/yr
HybridSecurity Engineering
Model Policy, Frontier Cyber Risk
OpenAISan Francisco, CA
Develops and maintains AI model policies for high-risk cybersecurity domains, translating threat models into behavioral specifications, evaluations, and mitigations. Collaborates with research, engineering, and safety teams to ensure technically grounded, enforceable safeguards against dual-use risks.