[Hiring] Senior AppSec Engineer @PrizePicks

Role Description

What you’ll do:

• Own the Pipeline: Support and optimize application security tooling (SAST, SCA, Secrets Detection) within our CI/CD pipelines to provide accurate, actionable, and prioritized alerts to devs.
• Be a Security Champion: Act as the primary security partner for Engineering and Product teams, ensuring security is baked in from the design phase through deployment.
• Threat Modeling: Lead collaborative threat modeling exercises to identify architectural risks before code is even written. Partner with penetration testing teams to translate these threats into targeted testing scenarios for high-risk functions.
• Code-Level Remediation: Don’t just tell devs what is wrong—show them how to fix it by performing deep-dive code reviews and providing actionable remediation guidance.
• Secrets Management: Help lead the charge in identifying and removing hard-coded secrets, moving the org toward more secure, automated secret management practices.
• Bug Bounty & Research: Help manage our bug bounty program by triaging submissions, working with researchers, and validating fixes with our engineers.
• Secure AI Integration: Serve as the security consultant for AI/ML initiatives. Partner with engineering to design secure "LLM-backed" features, focusing on prompt injection prevention, data privacy/sanitization, and secure integration of third-party AI APIs.
• Incident Response: Support the team during application-related security incidents, bringing your deep knowledge of code and logic to the table.
• Feature Validation: Perform security assessments on new features to help identify logic flaws that automated scanners might miss. Partner with our penetration testing team on high-risk releases to exchange knowledge and continuously sharpen your offensive security skillset.
• Strategic Communication: Translate technical vulnerabilities into business risk. You’ll be responsible for documenting and presenting findings in a way that is actionable for engineers and understandable for leadership.

Qualifications

• 3+ years of experience in software development, mobile development, or application security. You are comfortable reading unfamiliar code and can speak Developer fluently.
• CI/CD Pipeline Expertise: Hands-on experience integrating security tools (SAST, DAST, SCA, Secrets Detection) into automated workflows (e.g., GitHub Actions, GitLab CI, Jenkins). You know how to tune these tools to prevent alert fatigue.
• Deep knowledge of the OWASP Web Security Testing Guide (WSTG) and/or Mobile Application Security Testing Guide (MASTG) and the ability to think like a threat actor.
• Experience conducting Threat Modeling to catch flaws before they are built.
• Familiarity with the OWASP Top 10 for LLMs. You understand the unique risks of integrating AI into a production stack and can advise on how to build guardrails around model inputs and outputs.
• Experience supporting an Incident Response (IR) process, specifically providing the AppSec perspective to help scope an exploit and verify if a patch truly mitigates it.
• A deep understanding of how web applications work. You know your way around HTTP headers, JWTs, CORS, and auth flows, and you can validate them manually when the scanners fail.
• Proven ability to define risks in both technical and business terms.

Requirements

• 3+ years of professional experience in Software Development or Application Security.
• AppSec Tooling: Proven proficiency in deploying and tuning SAST, DAST, and SCA (e.g., Snyk, CodeQL, Dependabot, Mend, Wiz).
• Threat Modeling: Experience performing architectural threat models on products and services.
• CI/CD Automation: Strong experience building and maintaining security workflows in GitHub Actions.
• Cloud Native: Working knowledge of Kubernetes and containerized compute services.
• Security Testing: Comfortable using Burp Suite or Postman to manually validate logic flaws.

Benefits

• Company-subsidized medical, dental, & vision plans
• 401(k) plan with company match
• Annual bonus
• Flexible PTO to encourage a healthy work/life balance (2 weeks STRONGLY encouraged!)
• Generous paid leave programs, including 16-week paid parental leave and disability benefits
• Workplace flexibility and modern work schedules focused on getting the job done, not hours clocked
• Company-wide in-person events and team outings
• Lifestyle enhancement program
• Company equipment provided (Windows & Mac options)
• Annual performance reviews with opportunities for growth and career development