# Security Engineer, Application Security

**Company:** [Mercor](https://hotfix.jobs/companies/mercor)
**Location:** San Francisco, CA, New York, NY
**Role:** Security Engineering
**Salary:** $130k – $500k/yr
**Experience:** 5+ years
**Skills:** Owasp Top 10, Python, TypeScript, Go, Semgrep, Codeql, Snyk, Burp, Hackerone, SAST, DAST, CI/CD
**Posted:** 2026-04-15

> Owns application security by embedding review workflows in SDLC, building SAST/DAST pipelines in CI/CD, managing vulnerability remediation, and operating bug bounty programs. Requires 5+ years experience finding/fixing vulnerabilities, strong skills in Python/TypeScript/Go, and SAST/DAST tooling.

## Job Description

## What You'll Build
- Security review workflows embedded in the SDLC - PR-level analysis that catches auth bugs, injection flaws, and business logic errors before they ship
- SAST/DAST pipelines integrated into CI/CD - shifting security left without slowing down deploys
- Vulnerability management processes that prioritize by real exploitability, not CVSS score
- Secure coding standards and guardrails that make the safe path the easy path for 50+ engineers
- Threat models for new features and architecture changes - especially around AI data pipelines, payment flows, and multi-tenant boundaries
- Bug bounty program operations - triaging HackerOne reports, validating findings, and driving fixes to closure

## What We're Looking For
- You've found and fixed real vulnerabilities in production applications - not just run scanners
- Deep understanding of web application security: **OWASP Top 10** is baseline, you think in terms of attack chains and business logic flaws
- Strong in at least one of **Python**, **TypeScript**, or **Go** - you can read a PR and spot the auth bypass
- Experience building or tuning SAST/DAST tooling (**Semgrep**, **CodeQL**, **Snyk**, **Burp**, or similar)
- You understand modern web frameworks, APIs, and authentication patterns well enough to threat model them
- Experience managing a vulnerability pipeline - from discovery through prioritization to verified remediation
- **5+ years** of professional experience in application security, security engineering, or software engineering with a strong security focus

**Bonus Points**
- Experience running or triaging a bug bounty program (**HackerOne**, **Bugcrowd**)
- Offensive security skills - you've done penetration testing and can think like an attacker
- Experience securing AI/ML applications - model serving APIs, training data pipelines, prompt injection defense
- Familiarity with supply chain security - dependency scanning, registry firewalls (**Socket**, **Snyk**)
- You've built custom security tooling that a team still uses
- Contributions to open source security projects or published vulnerability research

## Similar roles

- [GRC Engineer](https://hotfix.jobs/jobs/74fe741b-d4b0-4bf7-a4cf-e46547a0f775) - NinjaTrader - Chicago, IL - $130k – $145k/yr
- [Security Engineer, Cloud Infrastructure](https://hotfix.jobs/jobs/b0117560-de94-4dc1-ba75-291e6344ef60) - Mercor - San Francisco, CA - $130k – $500k/yr
- [Threat Analyst](https://hotfix.jobs/jobs/4b2b74c9-ad53-4093-b1b0-636a8b41216c) - Socket - Remote - $126k – $170k/yr
- [Infrastructure Security Engineer](https://hotfix.jobs/jobs/2c4da5b3-0e94-43e0-8601-ccdf1caa3a8b) - Upstart - Remote - $134k – $186k/yr
- [Product Security Engineer](https://hotfix.jobs/jobs/9d882237-2bab-40b2-ac5d-126cebd6af93) - Applied Intuition - Sunnyvale, CA - $125k – $160k/yr

**Apply:** https://hotfix.jobs/jobs/f2d0e34d-91a7-4864-8672-e4a6901e3ca0
**Canonical:** https://hotfix.jobs/jobs/f2d0e34d-91a7-4864-8672-e4a6901e3ca0