Application Security Engineer
About the role
Arcadia is seeking a technically hands-on Application Security Engineer to join the Information Security team. This individual will own the vulnerability management lifecycle across our SAST, DAST, and SCA tooling, integrate security automation into the CI/CD pipeline, perform threat modeling of product and engineering designs, and serve as a trusted advisor to our 300+ person engineering organization.
Responsibilities
- Own the end-to-end vulnerability management lifecycle: triage, prioritize, and drive remediation of findings from SAST, DAST, and SCA tooling in partnership with engineering squads.
- Maintain, optimize, and extend security tooling integrations within the CI/CD pipeline with the goal of automating everything that can be automated.
- Launch and run a Security Champions program, including workshops and office hours, to embed security knowledge directly into development teams across multiple geographies.
- Partner with Product and Engineering leadership to introduce security touchpoints earlier in the SDLC, including threat modeling and design review processes.
Requirements
- 3–5 years of dedicated Application Security experience in a SaaS or cloud-native environment.
- Hands-on proficiency with at least two of the following: SAST, DAST, SCA, or CSPM tooling (e.g., Snyk, Checkmarx, Semgrep, Wiz).
- Strong working knowledge of CI/CD pipelines (e.g., GitHub Actions, Jenkins, GitLab CI) and the ability to write and maintain pipeline integrations.
- Experience with container security (Docker, Kubernetes) and API security patterns (REST, GraphQL).
- Demonstrated ability to communicate technical risk to non-security engineers in a way that drives action, not anxiety.
Qualifications
- Experience standing up or maturing a Security Champions program.
- Familiarity with cloud-native AWS security services (GuardDuty, Security Hub, IAM Access Analyzer).
- Exposure to threat modeling frameworks (STRIDE, PASTA, or lightweight equivalents).
- Relevant certifications (OSCP, GWAPT, CSSLP) — valued but not required.
Skills
- Out-of-the-box thinking and diverse perspectives.
- Automate a finding rather than file a ticket.
- Explain a critical vulnerability to a junior developer without making them feel two inches tall.
Benefits
- Remote first culture - work anywhere in the US as long as you have a reliable internet connection.
- Flexible PTO - no accrued hours and no limit on the number of vacation days exempt employees can take each year.
- 12 annual holidays.
- 10 days sick leave.
- Up to 4 weeks bereavement leave.
- 2 volunteer days off.
- 2 professional development days off.
- 12 weeks paid parental leave for all parents.
- 75-95% employer cost coverage for medical, dental, and vision benefits for employees and dependents.
Pay
Target Annual Compensation Range for this role will be $131,250 to $235,156. There will also be a competitive benefits component to the package. The exact compensation at which this job is filled will be determined by the skills, experience, and location of the qualified candidate. Please note that we are unable to offer visa sponsorship for this position at this time.
Schedule
Remote first - work anywhere in the US as long as you have a reliable internet connection.