Lead Application Security Engineer
Responsibilities
- Own application security across Ivo's web app, API surface, and the systems behind them.
- Find and fix bugs. Hunt for vulnerabilities in our own product through hands-on testing, code review, and offensive-minded experimentation, and partner with engineers to ship the fix.
- Lead manual code review for security-sensitive changes: authentication, authorization, multi-tenancy, integrations, and customer data handling.
- Run threat modeling with engineering as new features and products are designed, across the full product surface including LLM and agent components.
- Manage our pen test program and ad-hoc engagements end to end. Scope work, manage vendors, triage findings, and drive remediation to closure with engineering.
- Run our responsible disclosure program, including researcher communications, validation, payments, and ongoing relationships with trusted external researchers.
- Build and maintain our application security tooling: SAST, DAST, SCA, secrets detection, and IaC scanning, with a strong bias toward signal over noise.
- Embed security into the SDLC: PR-time checks, security champions, design review gates, and secure-by-default patterns engineers actually want to use.
- Conduct deep reviews of identity and access surfaces (Firebase Auth, WorkOS, SSO, SAML, SCIM, RBAC) and partner with product on customer-facing security features.
- Investigate suspected security issues and lead application-layer incident response alongside engineering.
- Contribute application security input to enterprise security reviews, SOC 2 Type II, ISO 27001, ISO 42001, and customer-facing trust documentation.
- Mentor engineers on secure coding and be the go-to expert when teams have a security question.
Requirements
4+ years in application security, product security, or offensive security at a SaaS company, including time owning security for a production platform.
Strong hands-on web application pen testing skills. You can find real bugs in real code, not just run scanners.
Strong background in web application security: OWASP Top 10, auth and authorization design (OAuth, OIDC, SAML, SSO), multi-tenant isolation, and modern API security.
Practical experience with cloud security in GCP and Azure, plus container and Kubernetes security (AKS or similar).
Experience managing pen tests, bug bounty programs, or responsible disclosure programs end to end.
Track record of partnering with engineering rather than blocking them. You ship paved roads, not tickets.
Excellent written communication. You can write a Slack post that engineers actually want to read, a finding writeup that's genuinely actionable, and a security review that an enterprise prospect respects.
A strong internal sense of urgency and a bias toward shipping today rather than tomorrow.
Qualifications
Nice to Have:
- Experience securing AI / LLM features in production: prompt injection defenses, agent guardrails, and AI-specific threat modeling.
- CVE credit, published research, or contributions to open-source security tooling.
- Experience designing security as customer-facing product (SSO domain verification, SCIM, IP allowlisting, audit logging, RBAC).
- Background supporting enterprise customers in regulated industries.
Pay
$220,000 - $300,000 USD base range + equity
Schedule
Full-time, remote within the US