Security engineer, application security

📐 About this role

WRITER is seeking an Application Security Engineer with deep expertise in AppSec, DevSecOps automation, and red team operations to secure our AI and AGI applications.

At WRITER, security is woven into the heart of our innovation. As we continue to push the boundaries of AI, we need a seasoned security engineer who can anticipate threats, integrate security into fastmoving development pipelines, and validate our defenses through handson testing.

You’ll play a pivotal role in building security directly into our CICD workflows, uncovering and exploiting vulnerabilities before attackers can, and collaborating with crossfunctional partners to safeguard our cuttingedge AI solutions. This is a highly technical, impactdriven role for someone who thrives at the intersection of security engineering, automation, and offensive testing.

If you’re passionate about proactively securing complex applications—and can turn red team findings into realworld defenses—we want to hear from you.

Role Boundaries & Collaboration

What You Own (Responsible)

• Build pipeline security (predeployment phase)

• Security gates and checks in CICD

• Application penetration testing

• Container scanning in build phase

• Applicationlayer vulnerability discovery

• What You Dont Own (Others Lead)

  • Deployment pipeline security (CloudInfrastructure owns)

  • Infrastructureascode security (CloudInfrastructure owns)

  • Production runtime security (CloudInfrastructure owns)

  • AI model security research (AI Security owns)

  • Key Partnerships

    • With CloudInfrastructure: Clear handoff at builddeploy boundary. You secure the build; they secure the deploy

    • With AI Security: They provide threat models for AIspecific risks; you implement tests in CICD

    • With Detection & Response: You find vulnerabilities proactively; they detect attacks in production

    • 🦸🏻‍♀️ Your responsibilities

      • Embed security in the build pipeline — Own predeployment application security, including automated vulnerability scanning, container scanning, and custom security gates in CICD.

      • Conduct advanced application penetration testing — Perform comprehensive testing on AI applications, APIs, and model endpoints, simulating adversarial attacks to validate controls.

      • Automate security testing at scale — Develop scripts, tools, and frameworks for continuous security assessment, including SAST, DAST, and SCA integration.

      • Lead applicationlayer red team exercises — Plan and execute engagements that mimic sophisticated adversary techniques targeting AI systems.

      • Hunt and validate vulnerabilities — Discover, reproduce, and chain vulnerabilities into realistic attack paths, providing actionable remediation guidance.

      • Advise on security architecture — Review designs for weaknesses, create secure patterns, and identify systemic issues across applications.

      • Collaborate across boundaries — Partner with CloudInfrastructure on deploymentruntime security, AI Security on threat modeling, and Detection & Response on defensive validation.

      • ⭐️ Is this you?

        Required Experience

        • 8+ years in application security, with a strong focus on handson testing.

        • 5+ years conducting penetration tests and security assessments.

        • Proven record of finding and exploiting critical vulnerabilities.

        • Deep experience integrating security into DevOps workflows and CICD pipelines.

        • Strong programming skills for exploit development and security automation.

        • Expertise in web application and API security, including cloudnative architectures.

        • Technical Expertise

          • Proficient with penetration testing tools (e.g., Burp Suite, OWASP ZAP, custom scripts).

          • Skilled in SAST, DAST, and SCA tools.

          • Strong understanding of applicationlayer attack techniques and exploitation.

          • Experience with supply chain security and build pipeline hardening.

          • Execution & Impact

            • Demonstrated ability to identify vulnerabilities others miss.

            • Proven track record of automating security testing in fastpaced development cycles.

            • Ability to translate red team findings into concrete defensive measures.

            • History of effective collaboration with engineering teams.

            • Preferred Qualifications

              • Background in software development or DevOps.

              • Experience testing AIML applications.

              • Security certifications such as OSCP, OSWE, or GWAPT.

              • Published security research or CVEs.

              • Experience with purple team operations.

              • 
                🍩 Benefits & perks (US Fulltime employees)

                • Generous PTO, plus company holidays

                • Medical, dental, and vision coverage for you and your family

                • Paid parental leave for all parents (12 weeks)

                • Fertility and family planning support

                • Earlydetection cancer testing through Galleri

                • Flexible spending account and dependent FSA options

                • Health savings account for eligible plans with company contribution

                • Annual worklife stipends for:

                  • Home office setup, cell phone, internet

                  • Wellness stipend for gym, massagechiropractor, personal training, etc.

                  • Learning and development stipend

                  • • Companywide offsites and team offsites

                    • Competitive compensation, company stock options and 401k

                    • WRITER is an equalopportunity employer and is committed to diversity. We dont make hiring or employment decisions based on race, color, religion, creed, gender, national origin, age, disability, veteran status, marital status, pregnancy, sex, gender expression or identity, sexual orientation, citizenship, or any other basis protected by applicable local, state or federal law. Under the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

                      By submitting your application on the application page, you acknowledge and agree to WRITERs Global Candidate Privacy Notice.