Application Security Engineer II

About the Role

Abnormal AI is looking for a Application Security Engineer II to help build the next generation of secure AI-powered cybersecurity applications at scale. This is a senior IC-level role that blends deep application security expertise with strong engineering fundamentals. You'll focus on integrating security into every phase of our software development lifecycle, conducting comprehensive security reviews, and partnering with engineering teams to build defensible architectures. As a technical leader, you will own the security architecture and development of secure coding practices while ensuring security is a foundational partner to our engineering stakeholders. You'll mentor junior engineers, act as a technical liaison across teams, and contribute directly to keeping our applications and customers secure. This is a role for engineers who are intellectually curious and motivated to bridge the gap between security principles and application development execution. Who you are: An intellectually curious, solution-focused engineer with a security mindset who thrives in fast-paced environments A technical leader who can architect secure application solutions while maintaining engineering velocity Someone who thinks like an attacker but builds like a defender - understanding both offensive and defensive security principles A collaborative engineer who can translate security requirements into actionable development tasks A mentor who enjoys teaching secure coding practices and security architecture to junior engineers What you will do Lead threat modeling and security architecture reviews with engineering teams by translating security risks into development actions. Architect, build, and maintain security tooling and integrations that enable secure development workflows (e.g., SAST, DAST, SCA, IAST tools). Collaborate with Engineering, DevOps, and Platform teams to build scalable security controls via Infrastructure-as-Code and secure CI/CD pipelines. Design and deploy automated security testing frameworks to identify vulnerabilities early in the development process. Serve as a hands-on technical contributor during security incidents by analyzing application-level behavior and enhancing response processes. Mentor and support junior engineers on secure coding practices, security architecture, and security tooling integrations. Evaluate and uplift application security tooling across commercial and open-source capabilities by focusing on scale, efficiency, and precision. Define and track key security posture metrics, building dashboards or reports to visualize security coverage and vulnerability trends. Partner with engineering teams to implement and maintain security controls across applications and services. Stay current with emerging AI/ML security threats, evaluating them for business applicability and integration. Must Haves 4 - 6 years' proven experience in application security engineering roles, ideally in cloud-native environments with modern development practices. Hands-on experience with security testing tools (SAST, DAST, SCA, IAST) and working knowledge of security automation in CI/CD pipelines. Strong programming skills in Python, Go, Java, or JavaScript/TypeScript; proficiency with Git, Linux, and modern development frameworks. Expertise in web application security including OWASP Top 10, authentication/authorization, cryptography, and secure API design. Experience with threat modeling frameworks (STRIDE, PASTA, LINDDUN) and security architecture review processes. Comfortable investigating application logs, tracing security events, and contributing to incident analysis workflows. Proven ability to influence and collaborate cross-functionally with engineering, DevOps, and product teams. Strong written communication and documentation skills and being able to convey complex security concepts clearly. Background with securing modern application architectures including microservices, containers, and cloud-native applications.

Nice to Have

Experience working in fast-paced or startup environments with sometimes ambiguous ownership lines. Familiarity with AI/ML security concepts including adversarial attacks, model security, and data privacy considerations. Hands-on experience with commercial security tools (Veracode, Checkmarx, SonarQube, Snyk, Burp Suite) Prior experience building security telemetry pipelines or vulnerability management frameworks. Exposure to compliance frameworks (SOC 2, ISO 27001) and how development decisions affect auditability. Familiarity with bug bounty programs and vulnerability disclosure processes. #LI-JT1 Actual compensation will be determined based on several non-discriminatory factors including skills, experience, qualifications, and geographic location. In addition to base salary, this role may be eligible for bonus or incentive compensation, equity, and a comprehensive benefits package. Base salary range: $130,100—$187,000 USD Abnormal AI is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, protected veteran status or other characteristics protected by law. For our EEO policy statement please click here. If you would like more information on your EEO rights under the law, please click here.