# Security Engineer, Application Security
**Company:** [Mercor](https://hotfix.jobs/companies/mercor)
**Location:** San Francisco, CA, New York, NY
**Salary:** $130K-$500K
**Experience:** 5+ years
**Skills:** Owasp Top 10, Python, TypeScript, Go, Semgrep, Codeql, Snyk, Burp, Hackerone, SAST, DAST, CI/CD
**Posted:** 2026-04-15
> Owns application security by embedding review workflows in SDLC, building SAST/DAST pipelines in CI/CD, managing vulnerability remediation, and operating bug bounty programs. Requires 5+ years experience finding/fixing vulnerabilities, strong skills in Python/TypeScript/Go, and SAST/DAST tooling.
## Job Description
## What You'll Build
- Security review workflows embedded in the SDLC - PR-level analysis that catches auth bugs, injection flaws, and business logic errors before they ship
- SAST/DAST pipelines integrated into CI/CD - shifting security left without slowing down deploys
- Vulnerability management processes that prioritize by real exploitability, not CVSS score
- Secure coding standards and guardrails that make the safe path the easy path for 50+ engineers
- Threat models for new features and architecture changes - especially around AI data pipelines, payment flows, and multi-tenant boundaries
- Bug bounty program operations - triaging HackerOne reports, validating findings, and driving fixes to closure

## What We're Looking For
- You've found and fixed real vulnerabilities in production applications - not just run scanners
- Deep understanding of web application security: **OWASP Top 10** is baseline, you think in terms of attack chains and business logic flaws
- Strong in at least one of **Python**, **TypeScript**, or **Go** - you can read a PR and spot the auth bypass
- Experience building or tuning SAST/DAST tooling (**Semgrep**, **CodeQL**, **Snyk**, **Burp**, or similar)
- You understand modern web frameworks, APIs, and authentication patterns well enough to threat model them
- Experience managing a vulnerability pipeline - from discovery through prioritization to verified remediation
- **5+ years** of professional experience in application security, security engineering, or software engineering with a strong security focus

**Bonus Points**
- Experience running or triaging a bug bounty program (**HackerOne**, **Bugcrowd**)
- Offensive security skills - you've done penetration testing and can think like an attacker
- Experience securing AI/ML applications - model serving APIs, training data pipelines, prompt injection defense
- Familiarity with supply chain security - dependency scanning, registry firewalls (**Socket**, **Snyk**)
- You've built custom security tooling that a team still uses
- Contributions to open source security projects or published vulnerability research
**Apply:** https://hotfix.jobs/jobs/security-engineer-application-security-at-mercor-f2d0e34d-91a7-4864-8672-e4a6901e3ca0
**Canonical:** https://hotfix.jobs/jobs/security-engineer-application-security-at-mercor-f2d0e34d-91a7-4864-8672-e4a6901e3ca0