Jobs · Engineering

Security Engineer 1, Application Security - Remote US

Trail of Bits · United States · 3 wk ago
RemoteRemoteEngineering$100k–$160k/yrFull-time

About the role

Trail of Bits seeks a Security Engineer 1 for our growing Software Assurance practice. You'll contribute to security assessments of client software, partnering with senior engineers, identifying vulnerabilities across the application and system level. You'll own pieces of client engagements, drive your own vulnerability analysis, and develop tools alongside the team.

Responsibilities

  • Security Assessment Ownership - Lead security assessments for specific components, modules, or systems within larger client engagements. Identify vulnerabilities, trace root causes, and own your analysis from discovery through client delivery.

  • Vulnerability Discovery and Analysis - Find and validate real vulnerabilities in application code and systems. Explain exploitation paths, assess impact, and develop proof-of-concept code when needed. You'll do the work, not just assist.

  • Custom Security Tooling - Design and build security testing tools and automation for vulnerability detection. Own tool development from concept through deployment on client projects.

  • Architecture and Threat Modeling - Conduct threat modeling and architecture reviews of software systems. Identify attack surfaces, data flows, and security boundaries. Propose concrete mitigations.

  • Client Communication - Translate technical findings into clear, actionable recommendations for engineering teams. Own client relationships for your component of the work.

  • Research and Innovation - Contribute to security research initiatives. Build tools, document findings, and stay on the cutting edge of vulnerability research and application security.

Requirements

  • Demonstrable vulnerability research capability - Proven ability to find and validate real vulnerabilities. This means: CTF wins, published CVEs, bug bounty finds, or security research that shows you can actually discover exploitable issues.
  • Strong code analysis skills - You can read complex code, trace execution, identify logic flaws, and explain why something is exploitable. You understand the difference between a tool flagging something and it actually being a vulnerability.
  • Hands-on coding proficiency - Fluent in at least two of: Rust, Go, C, C++, Python, JavaScript, TypeScript, or similar. You write code for security analysis and tool development, not just consume it.
  • Memory safety understanding - You understand memory corruption vulnerabilities (buffer overflows, use-after-free, etc.) and security mitigations (stack cookies, ASLR, NX/DEP, CFI, MTE etc.). You can reason about exploit primitives.
  • Systems knowledge - Deep familiarity with operating systems, IPC, privilege boundaries, and how applications interact with system internals. This isn't theoretical, you've worked with this stuff.
  • Autonomous problem-solving - You drive your own work. You own pieces of engagements. You ask good questions, debug issues, and reach conclusions without hand-holding.
  • Clear technical communication - You can explain complex security findings to engineers. Your reports get read because they're clear and actionable. You can defend your analysis.

Qualifications

  • You're 0-2 years into your security career, or you're coming from software engineering with a strong security foundation.
  • You have proven ability to find vulnerabilities and understand how systems break.
  • You're autonomous, you own your work, you drive your own analysis, and you don't need someone looking over your shoulder.
  • You should be capable of owning a piece of a security engagement and driving it to completion.

Skills

  • Active CTF participation - Current or recent CTF team participation, CTF wins, or rankings. Shows you can solve hard security problems under pressure.
  • Published vulnerability research - CVEs, bug bounties, responsible disclosures, or security writeups. Shows you've found real issues and validated them.
  • Open source security contributions - Tools, libraries, or research contributions to open source projects. Shows you can ship security work.
  • Mobile security experience - Android and iOS application security and system internals. Binary analysis on mobile platforms.
  • Published technical writing - Blog posts, security research writeups, conference talks, or technical documentation.
  • Cloud platform and infrastructure tools experience - AWS, GCP, or Azure security assessment and architecture review; experience with Kubernetes, Helm and IAAC tools (Terraform, Ansible).
  • Kernel or low-level development - Experience with kernel code, drivers, or system-level programming.

Benefits

Empowered Living: Competitive salary complemented by performance-based bonuses
Fully company-paid insurance packages, including health, dental, vision, disability, and life
A solid 401(k) plan with a 5% match of your base salary
20 days of paid vacation with flexibility for more, adhering to jurisdictional regulations
Nurturing New Beginnings: 4 months of parental leave to cherish the arrival of new family members
Work & Life Enrichment: $1,000 Working-from-Home stipend to create a comfortable and productive home office
Annual $750 Learning & Development stipend for continuous personal and professional growth
Company-sponsored all-team celebrations, including travel and accommodation, to foster community and recognize achievements
Community Impact: Philanthropic contribution matching up to $2,000 annually

Similar jobs