Senior Security Engineer
Qualys · Foster City, CA · 1 wk ago
HybridResearchFull-time
Key Responsibilities
- Build and deploy GenAI applications using LangChain, LlamaIndex, or similar frameworks, and orchestrate agentic AI workflows with tools such as AutoGen, CrewAI, or custom agent-based architectures.
- Design, train, and evaluate ML models from scratch, spanning both classical ML and deep learning, and develop end-to-end pipelines for ingestion, preprocessing, training, evaluation, and deployment.
- Implement and optimize RAG pipelines using embeddings and vector databases (e.g., FAISS, Pinecone, Qdrant), with security and data-leakage controls built in from the start.
- Write robust backend APIs in Python to serve models, process data, and integrate with cloud infrastructure; monitor model performance, latency, and accuracy in production and iterate continuously.
- Conduct in-depth research on security vulnerabilities in LLMs and AI systems, including prompt injection, jailbreaks, data leakage, model theft, and adversarial attacks.
- Design and execute offensive security assessments and red teaming campaigns against GenAI and ML-powered systems, including the agentic pipelines built in-house.
- Identify and classify novel threat vectors targeting model inference, training pipelines, and model-serving architectures.
- Contribute to and build internal tooling for scanning, fuzzing, and automating LLM vulnerability discovery.
- Collaborate cross-functionally with product and engineering teams to design secure AI-powered features and define hardening strategies.
- Develop proof-of-concepts, technical whitepapers, or blog posts on emerging threats and best practices; monitor threat intelligence and academic research on AI model security and supply chain risks.
- Represent Qualys in security and AI research communities through speaking, publishing, or standardization efforts, and mentor engineers on secure AI development.
Required Qualifications
- 6+ years of combined experience across software engineering / machine learning and security research, penetration testing, or exploit development, with a focus on application or cloud security.
- Strong programming skills in Python, including building APIs and backend components, plus scripting and automation for testing and PoC development.
- Experience training ML models using Scikit-learn, TensorFlow, or PyTorch, and a strong working knowledge of LLM architectures (transformers, embeddings, fine-tuning, RAG).
- Hands-on experience with LangChain, LlamaIndex, or other GenAI frameworks, and with building multi-agent or autonomous AI workflows.
- Familiarity with GenAI-specific risks such as prompt injection, model evasion, hallucination-based exploits, data leakage, or model theft, and with LLM deployment scenarios (e.g., OpenAI, HuggingFace, custom-hosted models) and their threat surfaces.
- Ability to analyze logs, API interactions, inference responses, and prompt chains to identify anomalous or risky behavior.
- Working knowledge of SQL, Pandas, and large-scale data processing, with experience developing and deploying ML systems in Agile environments.
- Strong analytical mindset, excellent technical writing skills, and familiarity with responsible disclosure practices, bug bounty programs, or security research ethics.
Preferred Qualifications
- Background in AI/ML security red teaming or adversarial ML.
- Knowledge of vector database risks, insecure RAG pipelines, model fingerprinting, and AI model supply chain attacks.
- Experience using or contributing to tools such as AutoGen, CrewAI, MetaGPT, Guardrails.ai, LLM Guard, or Tracer.
- Familiarity with LLMs such as GPT-4, Claude, Mistral, LLaMA, or Falcon, and integrating them via APIs.
- Experience with cloud platforms (AWS, GCP, Azure), containerized deployments, and MLOps tooling for monitoring, retraining, and CI/CD automation.
- Familiarity with Secure SDLC and threat modeling frameworks (e.g., STRIDE, MITRE ATLAS) and AI-specific security checklists.
- Publications or presentations at conferences such as Black Hat, DEF CON, USENIX, NeurIPS, or OWASP, and contributions to AI/ML projects in security, compliance, or enterprise applications.