Lead Application Security Engineer

What does the team do?

Opportunity is part of the evolving cyber security group which is laser focussed on setting up industry benchmarks in managing & guarding against digital risks in a "Cloud Native - DevOps Only" AI environment. It is a lean-mean-special action group where every cyber sentinel gets an opportunity to work across domain, has an independence to challenge status quo & evolve cyber practices to next level of maturity. Our core competencies revolve around "Product & Platform security" , "Cloud Native Risk Management" and "Detection & Response".

What you will be doing?

Application Security Testing & DevSecOps

• Perform application security testing across Web, API, Mobile (Android & iOS), TV and Cloud services, including vulnerability assessments and penetration testing.
• Validate and triage security findings through exploit verification and riskbased severity assessment.
• Own and operate CI/CD security controls, including SAST, DAST, SCA, secrets scanning, and IaC scanning.
• Build and maintain security gates (e.g., Chekmarx or equivalent) with a focus on automation, accuracy, and developer usability.
• Conduct manual security code reviews for APIs and services written in Java, Python, and Node.js.
• Review application designs for authentication, authorization, data protection, and API security best practices.
• Automate security workflows using scripts and APIs to standardize testing and reduce manual effort.
• Partner with engineering teams to drive timely, riskappropriate remediation and prevent repeat vulnerabilities.

AI / GenAI Security

• Apply AI Secure SDLC practices for LLM-based features, including prompt design, tool/function usage, and safe integration patterns.
• Assess and mitigate OWASP LLM Top 10 risks.
• Review and maintain secure prompt templates, including system prompt hardening and context scoping.
• Implement practical AI guardrails (output validation, policy checks, basic jailbreak and abuse detection).
• Perform AI red teaming and adversarial testing using tools such as Garak, PyRIT, and custom test cases.
• Review RAG implementations to ensure authorization-aware retrieval, tenant isolation, and reduced data leakage risk.
• Identify and reduce sensitive data exposure risks in embeddings and ingestion pipelines.
• Conduct AI-focused threat modeling using OWASP LLM Top 10, STRIDE, and MITRE ATLAS as reference frameworks.

What We're Looking For (Required)

• Minimum 7 years of experience in Application Security, Penetration Testing, DevSecOps, or Security Engineering.
• Proven hands-on ability with SAST/DAST/SCA, CI/CD security gates, and vulnerability triage/remediation workflows.
• 2-3 years' experience building and managing security gating in Checkmarx (or equivalent).
• 2-3 years' experience performing manual security code review (APIs/services; common languages: Java/Python/Node.js).
• Familiarity with OAuth2, OIDC, JWT, mTLS, API gateways, and service-to-service identity.
• Strong knowledge of OWASP Top 10 Mobile, OWASP Top 10 LLM.
• Strong experience with common testing tools: Burp Suite, OWASP ZAP, SQLMap, Kali (and similar).
• Scripting/automation skills using Python, plus Bash/PowerShell familiarity.
• Working knowledge of Docker/Kubernetes, cloud-native patterns, and secrets management basics.
• Solid communication skills-ability to write clear findings, influence engineering decisions, and partner effectively.

AI-Specific Technical Skills (Expected Competency)

• Hands-on familiarity with LLM integrations and Python AI ecosystems (e.g., LangChain / orchestration frameworks).
• Understanding of RAG pipelines and vector database concepts (e.g., Pinecone, FAISS, Milvus or equivalent).
• Ability to design/validate guardrails (policy allow/deny, jailbreak detection, output validation, safe tool calling).
• Familiarity with AI security testing patterns (prompt injection testing, data leakage testing, agent/tool abuse testing).

Preferred / Nice-to-Have

• Bug bounty / responsible disclosure recognition (Hall of Fame, awards).
• Experience deploying and scaling open-source security tools in production.
• Certifications: OSCP, OSCE, GWAPT, GPEN, CSSLP
• Any AI security-focused training (LLM security, RAG security, adversarial testing, ATLAS/LLM Top 10 programs).