ApplicationSecurityEngineer

About the Role We are looking for an Application Security Engineer who lives at the intersection of security and engineering. This is not a policy role — you will be hands-on building, tuning, and scaling the security scanning infrastructure that protects our software delivery pipeline. You will own SAST, DAST, and SCA tooling end to end, drive false positive reduction, and embed security gates directly into CI/CD workflows across engineering teams. A deep understanding of how vulnerabilities actually work — not just what scanners report — is fundamental to success in this role. The Problem We're Solving We operate in a complex, regulated environment — multiple languages, layered network boundaries, and delivery velocity that cannot be sacrificed for security theater. We are building a scanning program that works in that reality. Tuned, automated, trusted — coverage that is measurable and findings that engineers actually act on. This role exists to solve that problem. What You'll Do Own and operate static, dynamic, and software composition analysis scanning platforms across all engineering pipelines — onboarding new repositories, tuning rulesets, and maintaining coverage metrics Build and maintain CI/CD security gates that enforce scan policies at pull request, merge, and release stages across engineering workflows Write custom detection rules tailored to the organization's tech stack and threat model — covering vulnerability classes specific to the languages and frameworks in use Triage and prioritize scan findings with a deep understanding of actual exploitability — distinguish true positives from noise, explain the real-world impact of each finding, and build suppression workflows that reduce false positive rates without creating blind spots Develop automation to ticket, deduplicate, and route findings to the right engineering teams with enough context for developers to understand and act on them Integrate dynamic scanning into pre-production environments with au