[Hiring] Principal Security Engineer @WebPT

Role Description

We are looking for a hands-on security leader and subject matter expert in application security and AI security, responsible for defining the architectural security goals and implementation strategy for WebPT’s cloud-native SaaS environments. This engineer serves as the security team’s technical anchor—performing deep dives into complex application and system designs, evaluating AI/ML platform risks, and translating security requirements into practical engineering guidance that enables the business rather than slowing it down.

Working closely with engineering leadership, product managers, and third-party development partners, this leader will be the voice of security in architecture reviews, design sessions, and vendor evaluations, ensuring that security and compliance are built in from the start.

What You’ll Be Doing As A Part of Our Team

• Application Security Architecture
  • Lead application security architecture reviews for WebPT’s SaaS platforms, including new feature designs, third-party integrations, and major platform changes submitted through the change management process.
  • Own and facilitate threat modeling sessions with product and engineering stakeholders, translating findings into actionable developer guidance, architectural guardrails, and risk-accepted documentation.
  • Help define and evolve WebPT’s Secure Software Development Lifecycle (SDLC), embedding security checkpoints into GitLab CI/CD pipelines and development workflows without creating unnecessary friction.
  • Oversee application security testing tooling, triage findings by risk, and drive remediation with engineering teams—balancing thoroughness with the pace of a lean environment.
  • Serve as the internal authority on API security, secrets management, authentication and authorization patterns (OAuth 2.0, SAML, OIDC), and input validation across microservices and legacy systems.
• AI Security & Governance
  • Serve as the primary security resource for AI/ML integration decisions, including agentic AI workflows, LLM-based features, ambient listening, and third-party AI platform technologies.
  • Define and maintain WebPT’s AI security standards and AI vendor risk assessment criteria, including evaluation of AI/ML platforms for HIPAA BAA compliance, data residency, prompt injection risk, and model confidentiality.
  • Partner with engineering and product to design security guardrails for AI feature development: input/output validation, audit logging, human-in-the-loop controls, and AI supply chain integrity.
  • Drive AI Shadow IT discovery and governance initiatives, analyzing telemetry from Wiz, CrowdStrike, and network/DNS sources to identify unauthorized AI tool usage across the environment.
  • Stay current with AI threat vectors and regulatory guidance (NIST AI RMF, OWASP LLM Top 10, HHS AI policy) and translate these into WebPT-specific controls and policy updates.
• Cloud & Infrastructure Security
  • Partner with Cloud Operations to maintain and continuously improve WebPT’s security posture across cloud environments, leveraging Wiz for cloud security assessment and misconfiguration detection.
  • Provide security architecture input for infrastructure-as-code pipelines, container security, and CI/CD pipeline hardening in GitLab.
  • Contribute to vulnerability management strategy including EOL technology remediation, CVE triage, and risk-based prioritization in partnership with Cloud Operations and the broader security team.
  • Provide security guidance on WAF configuration (F5), network segmentation, and secrets management across the production environment.
• Security Leadership & Cross-Functional Partnership
  • Participate actively in change management and security review processes, providing timely, risk-calibrated assessments and serving as a trusted partner to engineering—not a gatekeeper.
  • Mentor other engineers on the Security team, providing technical coaching on application security concepts, tool usage, and security investigation techniques.
  • Produce clear security architecture decision records, threat model summaries, risk assessments, and remediation roadmaps; evangelize secure development practices across the engineering organization.
  • Represent security in cross-functional forums with engineering, product, and operations leadership; translate complex security risks into business-relevant language for board- and investor-ready reporting.
  • Contribute to external penetration test scoping, coordination, and remediation, and support SOC 2 Type II and HIPAA compliance audit cycles as a technical subject matter expert.

Qualifications

• 8+ years of progressive security engineering experience, including at least 4 years in a senior or principal application security or product security role.
• Deep technical proficiency in OWASP Top 10, threat modeling, SAST/DAST tooling, secure code review, API security, and authentication/authorization patterns.
• Demonstrated understanding of AI/ML security risks including prompt injection, model supply chain attacks, data leakage in LLM integrations, and agentic AI trust boundaries.
• Hands-on experience securing cloud-native SaaS applications, preferably on AWS with containerized and Kubernetes workloads, IaC pipelines, and microservices architectures.
• Proven experience evaluating third-party AI/ML platforms and vendors for security and compliance risk in HIPAA-regulated or similarly regulated environments.
• Proven ability to operate independently in a fast-paced, lean environment and influence engineering outcomes without direct authority.
• Excellent written and verbal communication skills; able to translate technical risk into business impact for executive and non-technical stakeholders.
• Strong working knowledge of HIPAA Security Rule requirements as applied to a cloud SaaS architecture.

Ideally, You Would Also Have These

• Bachelor’s degree in Computer Science, Information Security, or a related technical field.
• One or more industry certifications: OSCP, CSSLP, AWS Security Specialty, CISSP, or equivalent security practitioner credential.
• Familiarity with clinical documentation standards, EMR data sets, and the nuances of HIPAA compliance in a SaaS product context.
• Hands-on experience with Wiz, CrowdStrike Falcon, Rapid7 InsightIDR/InsightVM, or comparable enterprise cloud and endpoint security platforms.
• Exposure to agentic AI development frameworks and an understanding of how these architectures introduce novel security challenges.
• Experience with GitLab CI/CD pipeline security, dependency scanning, and software supply chain security controls.
• Familiarity with privileged access management solutions (Teleport, BeyondTrust, CyberArk) and certificate-based access control models.
• Previous experience providing technical leadership in a hybrid internal/external team environment.

Culture is at our Core

• Service: Create Raving Fans
• Accountability: F Up; Own Up
• Attitude: Possess True Grit
• Personality: Be Minty
• Work Ethic: Be Rock Solid
• Community Outreach: Give Back
• Health and Wellness: Live Better
• Resource Efficiency: Do Más With Menos

About Us

Here, we work hard—but we have lots of fun doing it. We believe in equal opportunity for all, autonomy, trailblazing, and always doing right by our Members. Most importantly, though, we believe in empowering rehab therapy professionals to achieve greatness in practice. So, if you’re a can-do kinda person who loves to help Members win and enjoys working from just about anywhere—then you’ll fit right in. We’ve got big plans, but we can’t achieve them without you. Join us, and let’s achieve greatness.