Senior Security Engineer - Application & Product Security

Summary

Join CaptivateIQ as a Senior Security Engineer and own the AppSec strategy, driving threat modeling, secure architecture design, and offensive security testing. You will lead penetration testing, manage AppSec tooling, and build developer enablement programs. Responsibilities include vulnerability management, incident response, ensuring compliance (SOC 2, ISO 27001), and contributing to customer security assessments. This role requires 7+ years of experience in security engineering, specializing in web application and product security, along with deep expertise in securing multi-tenant SaaS platforms. You will need strong communication skills and advanced experience in penetration testing and vulnerability assessments. The position offers a competitive salary and benefits package, including comprehensive health insurance, flexible vacation days, and a 401k plan.

Requirements

• 7+ years of experience in a security engineer or related role, including 4+ years specializing in web application, API, and product security
• Deep expertise securing multi-tenant SaaS platforms and features
• Strong communication and ability to influence software engineers and product managers
• Advanced experience conducting penetration tests, code reviews, and vulnerability assessments
• Expert knowledge of OWASP Top 10, web application and API security, and common vulnerability classes with practical remediation strategies
• Hands-on experience with AppSec tooling (SAST, DAST, SCA) integrated into CI/CD pipelines
• Strong programming and scripting skills (Python preferred) and ability to influence secure coding practices
• Proven ability to lead incident response for application-layer security events
• Familiarity with compliance frameworks (SOC 2, ISO 27001) and secure SDLC practices
• Knowledge of privacy-by-design principles and data security in SaaS environments
• Awareness of emerging AI/ML security risks and related countermeasures

Responsibilities

• Threat Modeling & Architecture Reviews Mature and scale a modern threat modeling program across products and services. Enable secure by design architectures in collaboration with Engineering teams
• Offensive Security Testing Conduct penetration tests (white-box and black-box) for web applications and APIs. Perform dynamic (DAST), static (SAST), and software composition (SCA) analysis. Simulate adversary attack scenarios to validate controls and identify gaps
• Secure SDLC Integration Embed security into every stage of development; implement automated security tooling in CI/CD pipelines
• Vulnerability Management Triage and prioritize application-layer vulnerabilities and guide engineering teams through remediation
• Developer Enablemen t Deliver secure development and coding training; create resources to reduce recurring vulnerabilities
• Bug Bounty Management Oversee Bug Bounty program, validate findings, and ensure timely resolution
• Incident Response Leadership Lead investigations for application-layer security incidents and conduct post-incident analysis
• Compliance Enablement Support audits, technical evidence collection, and control design for SOC 2, ISO 27001, and privacy-by-design requirements
• Customer Trust Contribute to customer security assessments, penetration test reports, and security documentation

Preferred Qualifications

• Certifications such as OSCP, GCIH, GWAPT, or CISSP
• Familiarity with security frameworks such as NIST CSF, MITRE ATT&CK, OWASP ASVS, or ISO 27001
• Experience with commercial security tools such as EDR, SIEM, CSPM, CNAPP, vulnerability scanners, bug bounty platforms, WAFs, or compliance automation platforms
• Prior experience driving security engineering for a SaaS-based company
• Experience leveraging automation or AI/ML tools to improve secure development, detection, incident response, or code analysis workflows

Benefits

• (US-ONLY) 100% of medical, dental, and vision covered including 75% for dependents
• Flexible vacation days and quarterly mental health days so you can recharge
• Enjoy a one-time expense on your 1-year work anniversary (to use for travel, home furnishings, fancy meal)
• (US-ONLY) 401k plan to participate in and save towards the future
• Newest Apple products to help you do your best work
• Employee Resource Groups (ERGs) to support and celebrate the shared identities and life experiences of communities within CaptivateIQ. ERGs directly support our company-wide DEI goals as a space for developing and retaining diverse talent