Jobs · Information Technology · Washington

Staff+ Application Security Engineer

Anthropic · Seattle, WA · 2 wk ago
HybridInformation Technology$320k–$485k/yrFull-time

About the role

Anthropic's Application Security team secures the systems that build, serve, and increasingly are Claude. The attack surface is unlike most AppSec work: multi-agent orchestration, sandboxed code execution, agents holding delegated credentials, untrusted tool output crossing trust boundaries — problems with little prior art and no off-the-shelf playbook.

The way the team works is also different. We use Claude as our primary tool across every part of the job: it drives our static analysis, drafts and fixes vulnerabilities as pull requests, performs first-line bug bounty triage, and assists threat modeling for design reviews. The human work is the judgment layer — system-level reasoning, deciding what matters, and building the next thing the model can't do yet.

This is a builder's role on a senior team. We hire engineers who ship production systems and clear a hands-on threat-modeling bar — people who can find the vulnerability but would rather build the system that finds them all. Every engineer owns a system end-to-end, and the team's work has shaped customer-facing product security — including Claude Code's security review tooling, its security guidance plugin, sandboxing, and auto mode.

Key responsibilities

  • Design, build, and operate Claude-powered security systems — LLM-driven code analysis, automated vulnerability remediation, AI-assisted threat modeling — and own one or more of them end-to-end, including the cross-functional relationships that come with it
  • Lead secure design reviews and threat modeling for novel AI systems, identifying risks that don't map to existing frameworks
  • Evolve a public bug bounty program where automation handles routine triage and root-cause work, and engineers handle escalations and corner cases
  • Partner with Product, Infrastructure, and Research teams as an embedded security owner — consulting on launches, shaping architecture, and influencing decisions where security is the constraint
  • Share an operational on-run rotation with the rest of the team — bounty escalations, incident response, and launch consults on systems serving Claude in production

Minimum qualifications

  • Hands-on application and infrastructure security experience, including cloud and containerized environments
  • Production-quality coding ability in at least one of Python, Go, Rust, or TypeScript, with a track record of building durable systems rather than one-off scripts
  • PRACTICAL practical threat-modeling and vulnerability-identification skills — you've found and reasoned about real bugs in real systems, even if breaking isn't your primary mode
  • Demonstrated ability to operate with high autonomy and ambiguity — comfortable being handed a problem and a lot of latitude rather than a spec
  • CLEAR clear technical communication with both engineers and leadership

Preferred qualifications

  • 7+ years in application security, security engineering, or security-focused software engineering
  • Already use LLMs as a core part of how you work, with opinions about where they help and where they don't
  • Experience securing agentic, code-execution, or LLM-integrated systems specifically
  • Prior ownership of a bug bounty program, vulnerability disclosure program, or vulnerability-management infrastructure at scale
  • Background building security automation or developer-facing security tooling
  • Offensive security or penetration testing experience

Similar jobs