[Hiring] Principal Security Researcher @Spellbook

Role Description

Legal teams worldwide trust Spellbook with their most sensitive data, and we're looking for a Principal Security Researcher to help us protect that trust at the source. You'll partner with the Director of Security & IT and work across the company to identify security risks, validate real-world impact, and reduce risk across Spellbook's products, infrastructure, AI workflows, and internal operations.

This is a senior individual contributor role with broad influence. You'll move between original security research on legal AI and LLM-enabled workflows, hands-on offensive testing, secure product development partnerships with R&D and Engineering, and program-level work that raises the maturity of how Spellbook approaches red teaming, threat modelling, bug bounty triage, and incident response.

Responsibilities

• Identify security risks across the company and partner with the relevant teams to reduce them.
• Lead active red teaming, application security testing, penetration testing, exploit validation, and adversarial analysis.
• Conduct original security research on legal AI, LLM-enabled products, sensitive document workflows, prompt injection, data leakage, model misuse, and tool abuse.
• Coordinate third-party penetration tests, red team exercises, audits, and other external security assessments.
• Own external vulnerability reports — bug bounty submissions, responsible disclosure reports, researcher communications, triage, validation, prioritization, and remediation tracking.
• Drive threat modelling and secure design reviews for new products, features, AI workflows, integrations, and infrastructure changes.
• Partner with R&D and Engineering to surface trust boundaries, abuse cases, and data exposure risks early in development.
• Support Security Operations during incident response by reproducing vulnerabilities, validating exploits, assessing impact, and recommending remediation.
• Engage with frontier AI labs, external researchers, vendors, and the broader security community to stay current on AI safety and security developments.
• Publish security research, advisories, technical writeups, blog posts, or conference talks where aligned with company priorities.
• Define and improve repeatable processes for security research, testing, vulnerability management, and remediation across Spellbook.
• Support with other responsibilities and projects as required.

Qualifications

• Strong experience in application security, red teaming, penetration testing, vulnerability research, product security, or offensive security.
• Hands-on experience testing modern web applications, APIs, authentication flows, authorization models, cloud services, and distributed systems.
• Experience developing proof-of-concept exploits or clear technical demonstrations to validate security impact.
• Firm grasp of common software security risks, secure design principles, identity and access controls, data protection, and secure development practices.
• Experience partnering with engineering, product, or R&D teams to triage, prioritize, and remediate vulnerabilities end-to-end.
• Excellent written and verbal communication skills, with the ability to write clear technical reports, executive summaries, remediation guidance, and public-facing research, and to explain trade-offs to engineers, PMs, and leadership.
• Strong judgment around responsible disclosure, customer impact, confidentiality, and coordinated communication.
• Pragmatic at distinguishing theoretical risk from practical risk, with the instinct to help teams focus on what matters most.
• Comfortable operating with ambiguity and moving with urgency across hands-on testing, product security, incident support, and external coordination.
• Track record of driving measurable risk reduction in a fast-moving technical environment.

Nice to Haves

• Experience with AI security, LLM security, prompt injection, jailbreaks, agentic workflows, model abuse, or secure AI product development.
• Experience in legaltech, fintech, healthtech, or another environment that handles highly sensitive customer data.
• Experience managing or participating in bug bounty programs, responsible disclosure programs, or external researcher communities.
• Experience publishing security research, speaking at conferences, or contributing to the broader security research community.
• Familiarity with enterprise security expectations and compliance frameworks such as SOC 2, HIPAA, GDPR, or emerging AI governance frameworks.

Benefits

• Embrace autonomy and accountability in a flexible work environment; we focus on outcomes and empower you to determine how to get the job done.
• Access our company-paid group benefits for you and your family, with $1,000 towards mental health support.
• Disconnect during our holiday closure and take advantage of our generous time off policies throughout the year.
• Enjoy monthly paid meals, an annual wellness allowance to support your well-being and parental leave top-ups as your family grows.
• Secure your stake in our success; you’ll receive competitive stock option grants as a pivotal early employee.