Skip to content
Mercor

Security Engineer, Application Security

Owns application security by embedding review workflows in SDLC, building SAST/DAST pipelines in CI/CD, managing vulnerability remediation, and operating bug bounty programs. Requires 5+ years experience finding/fixing vulnerabilities, strong skills in Python/TypeScript/Go, and SAST/DAST tooling.

130k – 500kSan Francisco, CANew York, NYSecurity EngineeringOnsite5+ YOE
Apply

About the role

What You'll Build

  • Security review workflows embedded in the SDLC - PR-level analysis that catches auth bugs, injection flaws, and business logic errors before they ship
  • SAST/DAST pipelines integrated into CI/CD - shifting security left without slowing down deploys
  • Vulnerability management processes that prioritize by real exploitability, not CVSS score
  • Secure coding standards and guardrails that make the safe path the easy path for 50+ engineers
  • Threat models for new features and architecture changes - especially around AI data pipelines, payment flows, and multi-tenant boundaries
  • Bug bounty program operations - triaging HackerOne reports, validating findings, and driving fixes to closure

What We're Looking For

  • You've found and fixed real vulnerabilities in production applications - not just run scanners
  • Deep understanding of web application security: OWASP Top 10 is baseline, you think in terms of attack chains and business logic flaws
  • Strong in at least one of Python, TypeScript, or Go - you can read a PR and spot the auth bypass
  • Experience building or tuning SAST/DAST tooling (Semgrep, CodeQL, Snyk, Burp, or similar)
  • You understand modern web frameworks, APIs, and authentication patterns well enough to threat model them
  • Experience managing a vulnerability pipeline - from discovery through prioritization to verified remediation
  • 5+ years of professional experience in application security, security engineering, or software engineering with a strong security focus

Bonus Points

  • Experience running or triaging a bug bounty program (HackerOne, Bugcrowd)
  • Offensive security skills - you've done penetration testing and can think like an attacker
  • Experience securing AI/ML applications - model serving APIs, training data pipelines, prompt injection defense
  • Familiarity with supply chain security - dependency scanning, registry firewalls (Socket, Snyk)
  • You've built custom security tooling that a team still uses
  • Contributions to open source security projects or published vulnerability research

Skills

Owasp Top 10PythonTypeScriptGoSemgrepCodeqlSnykBurpHackeroneSASTDASTCI/CD

Similar roles

Security Engineering jobs
Mercor

Security Engineer, Cloud Infrastructure

Designs and implements cloud security architectures including multi-account AWS isolation, Kubernetes hardening, and CSPM with Wiz for enterprise tenant separation. Requires 5+ years in cloud/infrastructure security, IaC expertise, and production experience.

130k – 500kSan Francisco, CA +1Security EngineeringHybrid5+ YOEAWSWiz
Socket

Threat Analyst

Analyzes software supply chain threats using AI scanners, conducts malware analysis and threat hunting, builds automation tools, and integrates research into products to protect open source ecosystems. Requires 3+ years in security operations and master's degree.

126k – 170kUnited StatesSecurity EngineeringRemote3+ YOELLMsGitHub
Upstart

Infrastructure Security Engineer

Designs and implements security controls for cloud infrastructure, Kubernetes, and deployment systems. Partners with engineering teams to review architectures, automate preventative measures, and remediate vulnerabilities. Requires 3+ years experience, Bachelor's degree, and proficiency in AWS, IaC tools, and programming.

134k – 186kUnited StatesSecurity EngineeringRemote3+ YOEGoAWS
Applied Intuition

Cloud Security Engineer

Secures multi-cloud infrastructure (AWS, Azure, GCP, OCI) with emphasis on Kubernetes hardening, IAM enforcement, CSPM using Wiz, and IaC security. Requires 5+ years experience, deep AWS and Kubernetes security expertise.

125k – 160kSunnyvale, CASecurity EngineeringOn-site5+ YOEAWSWiz
Applied Intuition

Product Security Engineer

Embeds security into product design and development lifecycle by analyzing architectures, conducting threat modeling and assessments, maturing vulnerability management, and guiding developers on secure practices. Requires 5+ years in product/application security with expertise in cloud, containers, and automation tools.

125k – 160kSunnyvale, CASecurity EngineeringOn-site5+ YOEAWSGCP