Staff+ Application Security Engineer - M&A
About the role
Lead pre-close security due diligence on prospective acquisitions — coordinate external penetration testing, threat-model the target's architecture, assess security controls, and deliver the security risk readout for leadership ahead of close and integration planning.
Drive post-close security integration — stand up static and dynamic analysis coverage on acquired codebases, track high- and critical-severity remediation to closure, fold acquired assets into bug bounty scope, and onboard repositories to Anthropic's automated vulnerability remediation and reporting systems.
Coverage of adjacent security engineering teams (supply chain, cloud, corporate security, detection & response) on their portions of each integration.
Across a wide set of stakeholders on every deal — corporate development, legal, security leadership, and the engineering teams inheriting acquired systems internally; engineering and security counterparts at the target company externally — translating between them and keeping the security workstream legible to all of them.
Formalize and scale Anthropic's M&A security playbook — risk-scoring model, diligence runbook, integration checklist — and turn as much of it as possible into Claude-powered tooling rather than manual process.
Contribute to core AppSec projects between deals — secure design reviews, threat modeling for agentic systems, and the team's security automation roadmap.
Responsibilities
- Lead pre-close security due diligence on prospective acquisitions — coordinate external penetration testing, threat-model the target's architecture, assess security controls, and deliver the security risk readout for leadership ahead of close and integration planning
- Drive post-close security integration — stand up static and dynamic analysis coverage on acquired codebases, track high- and critical-severity remediation to closure, fold acquired assets into bug bounty scope, and onboard repositories to Anthropic's automated vulnerability remediation and reporting systems
- Coverage of adjacent security engineering teams (supply chain, cloud, corporate security, detection & response) on their portions of each integration
- Across a wide set of stakeholders on every deal — corporate development, legal, security leadership, and the engineering teams inheriting acquired systems internally; engineering and security counterparts at the target company externally — translating between them and keeping the security workstream legible to all of them
- Formalize and scale Anthropic's M&A security playbook — risk-scoring model, diligence runbook, integration checklist — and turn as much of it as possible into Claude-powered tooling rather than manual process
- Contribute to core AppSec projects between deals — secure design reviews, threat modeling for agentic systems, and the team's security automation roadmap
Requirements
- Hands-on application and infrastructure security experience, including cloud and containerized environments
- Demonstrated ability to rapidly assess an unfamiliar codebase or architecture and produce a clear, prioritized risk assessment for a non-security audience
- Production-quality coding ability in at least one of Python, Go, Rust, or TypeScript
- PRACTICAL threat-modeling and vulnerability-identification skills — you've found and reasoned about real bugs in real systems
- Comfort operating with high autonomy, ambiguity, and tightly-held confidential context
- Clear written and verbal communication across varied audiences — executives, legal and corporate development partners, and engineering counterparts at an acquired company
Qualifications
- 7+ years in application security, security consulting, or security architecture
- Prior M&A security due diligence, third-party security assessment, or technical due diligence experience
- Experience standing up or scaling SAST/DAST, bug bounty, or vulnerability management coverage across multiple codebases
- Track record of building security automation or tooling rather than relying solely on manual review
- Familiarity with using LLMs as a core part of your security workflow
- Experience securing agentic, code-execution, or LLM-integrated systems
Skills
- Hands-on application and infrastructure security experience, including cloud and containerized environments
- Demonstrated ability to rapidly assess an unfamiliar codebase or architecture and produce a clear, prioritized risk assessment for a non-security audience
- Production-quality coding ability in at least one of Python, Go, Rust, or TypeScript
- PRACTICAL threat-modeling and vulnerability-identification skills — you've found and reasoned about real bugs in real systems
- Comfort operating with high autonomy, ambiguity, and tightly-held confidential context
- Clear written and verbal communication across varied audiences — executives, legal and corporate development partners, and engineering counterparts at an acquired company
- Experience securing agentic, code-execution, or LLM-integrated systems
Benefits
Annual Compensation Range: $320,000—$485,000 USD
Pay
Annual Salary: $320,000—$485,000 USD
Schedule
Location-based hybrid policy: Currently, we expect all staff to be in one of our offices at least 25% of the time. However, some roles may require more time in our offices.
Benefits
- Competitive compensation
- Optional equity donation matching
- Generous vacation and parental leave
- Flexible working hours
- A lovely office space in which to collaborate with colleagues
Guidance on Candidates' AI Usage
We believe that the highest-impact AI research will be big science. At Anthropic we work as a single cohesive team on just a few large-scale research efforts. And we value impact — advancing our long-term goals of steerable, trustworthy AI — rather than work on smaller and more specific puzzles. We view AI research as an empirical science, which has as much in common with physics and biology as with traditional efforts in computer science. We're an extremely collaborative group, and we host frequent research discussions to ensure that we are pursuing the highest-impact work at any given time. As such, we greatly value communication skills. The easiest way to understand our research directions is to read our recent research. This research continues many of the directions our team worked on prior to Anthropic, including: GPT-3, Circuit-Based Interpretability, Multimodal Neurons, Scaling Laws, AI & Compute, Concrete Problems in AI Safety, and Learning from Human Preferences. Come work with us!