📐 About this role
WRITER is seeking an Application Security Engineer with deep expertise in AppSec, DevSecOps automation, and red team operations to secure our AI and AGI applications.
At WRITER, security is woven into the heart of our innovation. As we continue to push the boundaries of AI, we need a seasoned security engineer who can anticipate threats, integrate security into fast-moving development pipelines, and validate our defenses through hands-on testing.
You’ll play a pivotal role in building security directly into our CI/CD workflows, uncovering and exploiting vulnerabilities before attackers can, and collaborating with cross-functional partners to safeguard our cutting-edge AI solutions. This is a highly technical, impact-driven role for someone who thrives at the intersection of security engineering, automation, and offensive testing.
If you’re passionate about proactively securing complex applications—and can turn red team findings into real-world defenses—we want to hear from you.
Role Boundaries & Collaboration
What You Own (Responsible)
Build pipeline security (pre-deployment phase)
Security gates and checks in CI/CD
Application penetration testing
Container scanning in build phase
Application-layer vulnerability discovery
What You Don't Own (Others Lead)
Deployment pipeline security (Cloud/Infrastructure owns)
Infrastructure-as-code security (Cloud/Infrastructure owns)
Production runtime security (Cloud/Infrastructure owns)
AI model security research (AI Security owns)
Key Partnerships
With Cloud/Infrastructure: Clear handoff at build/deploy boundary. You secure the build; they secure the deploy
With AI Security: They provide threat models for AI-specific risks; you implement tests in CI/CD
With Detection & Response: You find vulnerabilities proactively; they detect attacks in production
🦸🏻♀️ Your responsibilities
Embed security in the build pipeline — Own pre-deployment application security, including automated vulnerability scanning, container scanning, and custom security gates in CI/CD.
Conduct advanced application penetration testing — Perform comprehensive testing on AI applications, APIs, and model endpoints, simulating adversarial attacks to validate controls.
Automate security testing at scale — Develop scripts, tools, and frameworks for continuous security assessment, including SAST, DAST, and SCA integration.
Lead application-layer red team exercises — Plan and execute engagements that mimic sophisticated adversary techniques targeting AI systems.
Hunt and validate vulnerabilities — Discover, reproduce, and chain vulnerabilities into realistic attack paths, providing actionable remediation guidance.
Advise on security architecture — Review designs for weaknesses, create secure patterns, and identify systemic issues across applications.
Collaborate across boundaries — Partner with Cloud/Infrastructure on deployment/runtime security, AI Security on threat modeling, and Detection & Response on defensive validation.
⭐️ Is this you?
Required Experience
8+ years in application security, with a strong focus on hands-on testing.
5+ years conducting penetration tests and security assessments.
Proven record of finding and exploiting critical vulnerabilities.
Deep experience integrating security into DevOps workflows and CI/CD pipelines.
Strong programming skills for exploit development and security automation.
Expertise in web application and API security, including cloud-native architectures.
Technical Expertise
Proficient with penetration testing tools (e.g., Burp Suite, OWASP ZAP, custom scripts).
Skilled in SAST, DAST, and SCA tools.
Strong understanding of application-layer attack techniques and exploitation.
Experience with supply chain security and build pipeline hardening.
Execution & Impact
Demonstrated ability to identify vulnerabilities others miss.
Proven track record of automating security testing in fast-paced development cycles.
Ability to translate red team findings into concrete defensive measures.
History of effective collaboration with engineering teams.
Preferred Qualifications
Background in software development or DevOps.
Experience testing AI/ML applications.
Security certifications such as OSCP, OSWE, or GWAPT.
Published security research or CVEs.
Experience with purple team operations.
🍩 Benefits & perks (US Full-time employees)
Generous PTO, plus company holidays
Medical, dental, and vision coverage for you and your family
Paid parental leave for all parents (12 weeks)
Fertility and family planning support
Early-detection cancer testing through Galleri
Flexible spending account and dependent FSA options
Health savings account for eligible plans with company contribution
Annual work-life stipends for:
Home office setup, cell phone, internet
Wellness stipend for gym, massage/chiropractor, personal training, etc.
Learning and development stipend
Company-wide off-sites and team off-sites
Competitive compensation, company stock options and 401k
WRITER is an equal-opportunity employer and is committed to diversity. We don't make hiring or employment decisions based on race, color, religion, creed, gender, national origin, age, disability, veteran status, marital status, pregnancy, sex, gender expression or identity, sexual orientation, citizenship, or any other basis protected by applicable local, state or federal law. Under the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.
By submitting your application on the application page, you acknowledge and agree to WRITER's Global Candidate Privacy Notice.
