Senior Security Engineer II, Application Security (Remote Eligible)

Job Description

AI is changing what application security can accomplish. We're not just securing AI; we're using it as a force multiplier to see more risk, act faster, and scale security across a platform used by millions of customers globally. We're looking for a Senior Security Engineer II to join our Application Security team who can do both: bring deep expertise in securing AI-integrated systems, and deploy AI and automation to drive risk visibility and reduction at a scale no traditional security program can match on its own.

This is a high-ownership, technically demanding role for an experienced application security engineer. You will work at the intersection of threat-informed design, engineering automation, and applied AI, doing consequential security work that directly shapes the posture of a modern SaaS platform. If you're a security engineer who writes code to solve security problems, can read a production codebase to find what a scanner misses, and wants your work to matter beyond a ticket queue, we want to talk.

You Will:

• Secure AI Systems and Use AI to Scale Security: Conduct security reviews and threat modeling of AI-integrated product features (LLM workflows, agentic pipelines, model APIs) with working knowledge of AI-specific risk classes including prompt injection, model manipulation, and runtime control gaps; and in parallel, deploy AI and automation as a force multiplier by building tooling, pipelines, and integrations that extend the team's reach, accelerate triage, and drive risk visibility at a scale manual effort alone cannot achieve.
• Deliver Application Security Reviews: Own end-to-end security assessments for high-risk features and services (threat modeling, architecture review, targeted code review, and security testing) embedded in the product development lifecycle. Work directly with engineering teams to surface and close risk before it ships, with enough technical credibility to influence design decisions, not just document findings.
• Advance CI/CD Pipeline Security: Operate and evolve the security scanning controls embedded in Smartsheet's GitLab pipelines (SAST, SCA, secrets, IaC scanning). Tune tools, engage teams on findings, and build automation that reduces false positive burden and improves how developers experience security feedback.
• Run Bug Bounty Operations: Serve as the expert validation layer for Smartsheet's bug bounty program, reproducing and assessing complex, multi-step researcher submissions requiring authenticated context and deep platform knowledge, making defensible severity and payout decisions, and owning program operations including researcher engagement, metrics, and continuous improvement.

You Have:

• Experience: 8+ years in application security, with a track record of owning complex, multi-capability work in a product security or AppSec engineering role.
• Software engineering foundation: Fluent in one or more modern languages (Java, Python, TypeScript/JavaScript, Go, Ruby, or equivalent); you identify security-related issues in code and can build automation to address them at scale.