Staff+ Application Security Engineer - M&A
Anthropic · San Francisco Bay Area · 3 days ago
RemoteRemoteInformation Technology$320k–$485k/yrFull-time
Key responsibilities
- Lead pre-close security due diligence on prospective acquisitions — coordinate external penetration testing, threat-model the target's architecture, assess security controls, and deliver the security risk readout for leadership ahead of close and integration planning
- Drive post-close security integration — stand up static and dynamic analysis coverage on acquired codebases, track high- and critical-severity remediation to closure, fold acquired assets into bug bounty scope, and onboard repositories to Anthropic's automated vulnerability remediation and reporting systems
- Cook up adjacent security engineering teams (supply chain, cloud, corporate security, detection & response) on their portions of each integration
- Across a wide set of stakeholders on every deal — corporate development, legal, security leadership, and the engineering teams inheriting acquired systems internally; engineering and security counterparts at the target company externally — translate between them and keep the security workstream legible to all of them
- Formalize and scale Anthropic's M&A security playbook — risk-scoring model, diligence runbook, integration checklist — and turn as much of it as possible into Claude-powered tooling rather than manual process
- Share the team's operational on-run rotation (bug bounty escalations, launch consults, incident response), swapping out during periods of active deal work
- Contribute to core AppSec projects between deals — secure design reviews, threat modeling for agentic systems, and the team's security automation roadmap
Minimum Qualifications
- Hands-on application and infrastructure security experience, including cloud and containerized environments
- Demonstrated ability to rapidly assess an unfamiliar codebase or architecture and produce a clear, prioritized risk assessment for a non-security audience
- Production-quality coding ability in at least one of Python, Go, Rust, or TypeScript
- PRACTICAL threat-modeling and vulnerability-identification skills — you've found and reasoned about real bugs in real systems
- Comfort operating with high autonomy, ambiguity, and tightly-held confidential context
- CLEAR written and verbal communication across varied audiences — executives, legal and corporate development partners, and engineering counterparts at an acquired company
Preferred Qualifications
- 7+ years in application security, security consulting, or security architecture
- Prior M&A security due diligence, third-party security assessment, or technical due diligence experience
- Experience standing up or scaling SAST/DAST, bug bounty, or vulnerability management coverage across multiple codebases
- Track record of building security automation or tooling rather than relying solely on manual review
- Familiarity with using LLMs as a core part of your security workflow
- Experience securing agentic, code-execution, or LLM-integrated systems