Jobs · Information Technology

Staff+ Application Security Engineer - M&A

Anthropic · San Francisco Bay Area · 3 days ago
RemoteRemoteInformation Technology$320k–$485k/yrFull-time

Key responsibilities

  • Lead pre-close security due diligence on prospective acquisitions — coordinate external penetration testing, threat-model the target's architecture, assess security controls, and deliver the security risk readout for leadership ahead of close and integration planning
  • Drive post-close security integration — stand up static and dynamic analysis coverage on acquired codebases, track high- and critical-severity remediation to closure, fold acquired assets into bug bounty scope, and onboard repositories to Anthropic's automated vulnerability remediation and reporting systems
  • Cook up adjacent security engineering teams (supply chain, cloud, corporate security, detection & response) on their portions of each integration
  • Across a wide set of stakeholders on every deal — corporate development, legal, security leadership, and the engineering teams inheriting acquired systems internally; engineering and security counterparts at the target company externally — translate between them and keep the security workstream legible to all of them
  • Formalize and scale Anthropic's M&A security playbook — risk-scoring model, diligence runbook, integration checklist — and turn as much of it as possible into Claude-powered tooling rather than manual process
  • Share the team's operational on-run rotation (bug bounty escalations, launch consults, incident response), swapping out during periods of active deal work
  • Contribute to core AppSec projects between deals — secure design reviews, threat modeling for agentic systems, and the team's security automation roadmap

Minimum Qualifications

  • Hands-on application and infrastructure security experience, including cloud and containerized environments
  • Demonstrated ability to rapidly assess an unfamiliar codebase or architecture and produce a clear, prioritized risk assessment for a non-security audience
  • Production-quality coding ability in at least one of Python, Go, Rust, or TypeScript
  • PRACTICAL threat-modeling and vulnerability-identification skills — you've found and reasoned about real bugs in real systems
  • Comfort operating with high autonomy, ambiguity, and tightly-held confidential context
  • CLEAR written and verbal communication across varied audiences — executives, legal and corporate development partners, and engineering counterparts at an acquired company

Preferred Qualifications

  • 7+ years in application security, security consulting, or security architecture
  • Prior M&A security due diligence, third-party security assessment, or technical due diligence experience
  • Experience standing up or scaling SAST/DAST, bug bounty, or vulnerability management coverage across multiple codebases
  • Track record of building security automation or tooling rather than relying solely on manual review
  • Familiarity with using LLMs as a core part of your security workflow
  • Experience securing agentic, code-execution, or LLM-integrated systems

Similar jobs