Senior Application Security Engineer

Job Description

About the Role

AlphaSense is investing in the next generation of our Application Security capability, a continuous, AI-augmented, layered defense program built for a SaaS engineering organization where AI agents and human developers ship code side by side at high velocity. As a Senior AI Application Security Engineer, you will be a senior individual contributor at the center of that program.

You will own the code and pull-request enforcement layer that every change flows through, whether authored by a human or an AI coding agent. You will define and harden the deterministic security gates that make AI-authored code auditably equivalent to human-authored code, and partner directly with engineering teams shipping AI-native and agentic features, including MCP integrations, AI coding assistants, and AI capabilities embedded in our research workflows, so those features are designed, built, and operated securely from the start.

This is a hands-on, build-it role. Not an auditor. Not a dashboard owner. We are looking for a security engineer who writes code, reads pull requests fluently across multiple languages, has personally shipped or integrated with agentic and MCP systems, and treats Application Security as a partnership with engineering rather than a gate to enforce.

You will report to the Director of Application Security within Product Security, and partner closely with our broader Security, Engineering, and GRC teams. This is a foundational hire with a clear path to Staff / Tech Lead as the team grows.

What You'll Own

Continuous Code & PR Security (primary ownership)

• Operate and continuously tune the SAST, SCA, secrets-detection, and SBOM pipeline.
• Design, ship, and harden the deterministic security gates that make AI-authored PRs auditably equivalent to human-authored ones.
• Review human-authored and agent-authored PRs, catching the semantic violations static analysis misses. Co-submit AI-generated patch proposals so human effort scales as review-and-merge, not authorship.
• Drive findings to closure at the class level, fix a token-handling bug once at the platform layer and watch it propagate.

Agentic & AI Security

• Own how we secure AI-assisted development: Claude Code, Cursor, Copilot, MCP servers, agent-authored PRs, sub-agents handling rebases and CI fixes.
• Author and roll out our AI-Assisted Development Security policy: prompt injection defense, MCP scope and credential governance, agent credential inheritance, secret leakage to agent logs, agent-action audit attribution.
• Partner with harness engineering on agent scope declarations, agent identity registration, and the verification hooks that distinguish agent-initiated actions from human-initiated ones in the audit stream.
• Threat model new AI features , agent gateway, MCP connector architecture, AI workflows in the research platform , and ship the controls.

Threat Modeling & Developer Enablement

• Scale the threat modeling framework. Pilot with the highest-risk teams, then make it standard for new features and architectural changes.
• Partner with the product security team to build a security training program engineers actually use: secure coding patterns, authentication and authorization fundamentals, prompt injection awareness, how to engage Product Security on a design.
• Embed testable security acceptance criteria, agent scope declarations, and verification hooks into the PRD template so services declare their security posture at design time.

Layered Security

• Continuous Security Testing is a five-layer model: Code (yours), Infrastructure & Contract, Behavioral Intelligence, Adversarial Simulation, and Data Segmentation. You won't operate all five, but you'll integrate tightly with the teams that do and ensure your Layer 1 signal is consumable by Layers 2-5 and by GRC for compliance evidence.

Detection-to-Response Velocity

• Drive MTTR on critical findings under 24 hours, finding precision above 95%, and recurring named classes trending to zero quarter over quarter.
• Support DAST deployment, the API pen test program, and the customer-facing security posture dashboard.
• Coordinate penetration testing, bug bounty intake, and partner threat-intel feeds , translating external attack-pattern disclosures into detections within days, not quarters.
• Act as the primary technical responder for application-layer incidents, agentic behavior anomalies, or third-party integration compromises; leading the forensic investigation, architectural containment, and post-incident hardening requirements.

What You Bring

Required

• 6+ years engineering experience, with 4+ in a dedicated AI Application Security / Product Security role at a SaaS or cloud-native company. Not a consulting / audit background.
• Development background , hands-on and recent. You write code, not just review it. You can read PRs fluently in at least two of Python, TypeScript / JavaScript, Java / Kotlin, or Go, and you are comfortable in Terraform, Helm, and Kubernetes manifests.
• Hands-on experience with agentic AI and MCP development. You have personally built with, integrated, or operated agentic tooling. Examples that qualify: built an MCP server; integrated Claude Code, Cursor, or Copilot into a real engineering workflow under governance; worked with autonomous coding agents or harnesses; built or hardened an agent gateway; shipped guardrails for prompt injection, jailbreak resistance, or output sanitization in production.
• Production operation of a SAST / SCA pipeline at scale , Snyk, Semgrep, GitHub Advanced Security, Checkmarx, Veracode, or equivalent , including rule authoring, false-positive tuning, and CI/CD integration.
• Demonstrated ownership of a threat modeling or developer security training program , founder or substantial contributor. You can describe the artifacts, the integration into the design process, and the metrics that proved it worked.
• Layered security thinking. Defense-in-depth across code, contract, behavior, simulation, and data. You can speak to how findings at one layer propagate to others, and how to design for compounding control rather than redundant control.
• Strong written communication. You author policy, guidance, runbooks, and PR comments that engineers read and act on.

Nice to Have

• Open-source contributions to a SAST / SCA tool, a security linter, an MCP server or framework, an agent harness, or a threat modeling tool.
• Experience shipping a deterministic compliance gate that an external auditor accepted as equivalent to human review.
• API security and DAST experience (Burp Suite, ZAP, Akto) and modern container / Kubernetes security (admission controllers, runtime protection, supply chain attestation).
• AWS security depth (IAM, KMS, GuardDuty, Security Hub, Organizations) and exposure to AI/ML production environments.
• Security partner on a customer-facing posture dashboard or DDQ response process, ideally in a regulated industry.
• Public writing or speaking on developer security, AI/agent security, or AppSec automation.
• Pre-IPO experience or familiarity with SOC 2 Type II, ISO 27001:2022, ISO 42001, SOX, GDPR.
• Certifications: OSWE, OSCP, CSSLP, AWS Security Specialty, or CISSP.

Why Join Us

• Foundational hire, not a backfill. You'll help define Application Security at AlphaSense at the moment AI-native development is being adopted across engineering.
• Genuinely novel scope. The intersection of agentic development, continuous compliance, and AI-native security , at production scale, not in a research lab.
• Build, ship, own. Real surfaces queued and waiting for an owner, not proposals to write.
• Senior IC role on a senior IC team. Small, growing AppSec function inside Product Security, with strong cross-functional partnerships. Reports to the Director of Application Security, with a clear path to Staff / Tech Lead.
• Remote-first, high autonomy, competitive compensation, performance bonus, equity, and benefits.