Security engineer, application security (San Francisco)

About this role

WRITER is seeking an Application Security Engineer with deep expertise in AppSec, DevSecOps automation, and red team operations to secure our AI and AGI applications.

At WRITER, security is woven into the heart of our innovation. As we continue to push the boundaries of AI, we need a seasoned security engineer who can anticipate threats, integrate security into fast-moving development pipelines, and validate our defenses through hands-on testing.

Youll play a pivotal role in building security directly into our CI/CD workflows, uncovering and exploiting vulnerabilities before attackers can, and collaborating with cross-functional partners to safeguard our cutting-edge AI solutions. This is a highly technical, impact-driven role for someone who thrives at the intersection of security engineering, automation, and offensive testing.

If youre passionate about proactively securing complex applicationsand can turn red team findings into real-world defenseswe want to hear from you.

Role Boundaries & Collaboration

What You Own (Responsible)

• Build pipeline security (pre-deployment phase)

• Security gates and checks in CI/CD

• Application penetration testing

• Container scanning in build phase

• Application-layer vulnerability discovery

What You Don't Own (Others Lead)

• Deployment pipeline security (Cloud/Infrastructure owns)

• Infrastructure-as-code security (Cloud/Infrastructure owns)

• Production runtime security (Cloud/Infrastructure owns)

• AI model security research (AI Security owns)

Key Partnerships

• With Cloud/Infrastructure : Clear handoff at build/deploy boundary. You secure the build; they secure the deploy

• With AI Security : They provide threat models for AI-specific risks; you implement tests in CI/CD

• With Detection & Response : You find vulnerabilities proactively; they detect attacks in production

???? Your responsibilities

• Embed security in the build pipeline Own pre-deployment application security, including automated vulnerability scanning, container scanning, and custom security gates in CI/CD.

• Conduct advanced application penetration testing Perform comprehensive testing on AI applications, APIs, and model endpoints, simulating adversarial attacks to validate controls.

• Automate security testing at scale Develop scripts, tools, and frameworks for continuous security assessment, including SAST, DAST, and SCA integration.

• Lead application-layer red team exercises Plan and execute engagements that mimic sophisticated adversary techniques targeting AI systems.

• Hunt and validate vulnerabilities Discover, reproduce, and chain vulnerabilities into realistic attack paths, providing actionable remediation guidance.

• Advise on security architecture Review designs for weaknesses, create secure patterns, and identify systemic issues across applications.

• Collaborate across boundaries Partner with Cloud/Infrastructure on deployment/runtime security, AI Security on threat modeling, and Detection & Response on defensive validation.

Is this you?

Required Experience

• 8+ years in application security, with a strong focus on hands-on testing.

• 5+ years conducting penetration tests and security assessments.

• Proven record of finding and exploiting critical vulnerabilities.

• Deep experience integrating security into DevOps workflows and CI/CD pipelines.

• Strong programming skills for exploit development and security automation.

• Expertise in web application and API security, including cloud-native architectures.

Technical Expertise

• Proficient with penetration testing tools (e.g., Burp Suite, OWASP ZAP, custom scripts).

• Skilled in SAST, DAST, and SCA tools.

• Strong understanding of application-layer attack techniques and exploitation.

• Experience with supply chain security and build pipeline hardening.

Execution & Impact

• Demonstrated ability to identify vulnerabilities others miss.

• Proven track record of automating security testing in fast-paced development cycles.

• Ability to translate red team findings into concrete defensive measures.

• History of effective collaboration with engineering teams.

Preferred Qualifications

• Background in software development or DevOps.

• Experience testing AI/ML applications.

• Security certifications such as OSCP, OSWE, or GWAPT.

• Published security research or CVEs.

• Experience with purple team operations.

Benefits & perks (US Full-time employees)

• Generous PTO, plus company holidays

• Medical, dental, and vision coverage for you and your family

• Paid parental leave for all parents (12 weeks)

• Fertility and family planning support

• Early-detection cancer testing through Galleri

• Flexible spending account and dependent FSA options

• Health savings account for eligible plans with company contribution

• Annual work-life stipends for:

  • Home office setup, cell phone, internet

  • Wellness stipend for gym, massage/chiropractor, personal training, etc.

  • Learning and development stipend

• Company-wide off-sites and team off-sites

• Competitive compensation, company stock options and 401k

WRITER is an equal-opportunity employer and is committed to diversity. We don't make hiring or employment decisions based on race, color, religion, creed, gender, national origin, age, disability, veteran status, marital status, pregnancy, sex, gender expression or identity, sexual orientation, citizenship, or any other basis protected by applicable local, state or federal law. Under the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

By submitting your application on the application page, you acknowledge and agree to WRITER's Global Candidate Privacy Notice .