[Hiring] Senior Application Security Engineer @Qualia

Role Description

We're hiring a Senior Application Security Engineer to join a small, high-leverage AppSec team. This is a deep-technical IC role with a staff-leaning scope:

• Set the technical direction and own delivery on how we find, fix, and prevent vulnerabilities across Qualia's products and cloud infrastructure.
• Be the person other engineers want in the room when an architecture decision has a security dimension.
• Partner daily with product engineering, infrastructure, and platform teams.
• Work closely alongside existing AppSec engineers, raising the technical bar of the team while staying deeply hands-on with code, tooling, and adversarial testing.

Responsibilities

• Run offensive assessments against Qualia's applications and infrastructure: manual penetration testing, exploit development, authenticated web/API testing, and adversarial review of new designs before they ship.
• Lead threat modeling and secure design review for the highest-risk initiatives across the company, and mentor engineers to do the same for their own work.
• Own and evolve our AppSec tooling stack end-to-end - SAST, DAST, SCA, secret scanning, IaC scanning, and the CI/CD gates that tie them together.
• Build the custom rules, detections, and automation that generic tooling doesn't provide.
• Harden our cloud posture: review AWS configurations, IAM policies, Kubernetes/EKS workloads, and networking boundaries.
• Build automation and guardrails that prevent the same class of issue from recurring.
• Reduce toil for the team - write the tools, scripts, and integrations that turn a day of triage into a few minutes.
• Partner with Infrastructure and Platform on detection engineering, incident response support, and cross-cutting programs (secrets management, supply chain, runtime security).
• Set the technical bar for the AppSec team: raise the quality of reviews, establish patterns others can reuse, and mentor peers across seniority levels.
• Represent AppSec in architectural reviews, vendor evaluations, and compliance efforts.

Qualifications

• 8+ years of hands-on experience in application security, offensive security, or security engineering.
• Demonstrable depth in at least two of: offensive testing, security tooling/automation, and cloud/infra security.
• Strong offensive skills - able to manually exploit real web and API vulnerabilities beyond what a scanner will find.
• Deep familiarity with building and operating security tooling in a modern engineering organization.
• Production experience with AWS (IAM, VPC, networking, data services), containerized workloads (Docker, Kubernetes/EKS), and infrastructure-as-code (Terraform or similar).
• Comfort reading, reviewing, and contributing code in at least one language common to modern web stacks (Python, Go, Ruby, TypeScript, or similar).
• Clear, direct communication style.
• Strong partnership instincts - leverage by making other teams faster, not by blocking them.

Nice to Have

• Experience in fintech, proptech, healthcare, or another regulated industry where data sensitivity is high.
• Background meaningfully contributing to a bug bounty program.
• Experience with identity and access systems (OIDC, SAML, federation, fine-grained authorization).
• Detection engineering, DFIR, or red-team experience.
• Open source contributions to security tooling, published research, or CVE credits.
• Relevant certifications (OSCP, OSWE, GWAPT, GPEN, etc.) - valued but not required.

Benefits

• Base annual salary of $180,000-$210,000 plus a competitive equity and benefits package.
• Comprehensive health plans.
• 401k program and commuter benefits.
• Professional development and parental leave.
• Flexible time off policy.
• Robust online onboarding program to train new hires.
• Biweekly all hands meetings and a variety of internal virtual events.