Senior Application Security Engineer

RegScale is a continuous controls monitoring (CCM) platform that helps organizations automate and scale their security, risk, and compliance programs. We are at an inflection point, transitioning from startup execution to a disciplined, enterprise-ready engineering organization, and we are building the team that will take us there. As a platform handling sensitive security and regulatory data for enterprise and government customers, security is not a compliance checkbox at RegScale. It is a core engineering discipline woven into how we build software.

This is a high autonomy role for a seasoned security engineer who thrives at the center of a complex engineering organization. You are the primary application security practitioner at RegScale. You identify where the risk is, build the strategy to address it, and drive initiatives from concept to measurable improvement without a team beneath you and without direct authority over the engineers you depend on to execute.

Your reach spans all of engineering including Core Engineering, Platform and AI, Compliance as Code, Quality Engineering, SRE, Infrastructure, and the external security team. You succeed by making engineers more security conscious and embedding security into how software is designed, built, and deployed rather than finding vulnerabilities after the fact.

RegScale serves enterprises and government agencies under frameworks like FedRAMP, NIST, and CMMC. This role reports into SRE and Infrastructure and requires deep technical security expertise combined with the organizational influence and end to end ownership mindset needed to make security a shared engineering value.

• → Own the application security program end to end, identifying risks, setting priorities, building strategy, aligning stakeholders, driving implementation across engineering teams, and measuring outcomes.
• →Conduct threat modeling and security design reviews early in the development process, embedding security thinking into architecture and feature design before code is written.
• →Partner with developers across all engineering teams to shift security left, coaching on secure coding practices, reviewing code for vulnerabilities, and building security awareness as a shared engineering capability rather than a specialized handoff.
• →Integrate security tooling and automated security checks into CI/CD pipelines including static analysis, dependency scanning, and secrets detection, ensuring actionable security signals.
• →Own vulnerability management across the platform, triaging findings from internal testing, external assessments, and tooling, prioritizing remediation based on risk, and driving resolution to completion.
• →Lead and coordinate penetration testing and security assessments, working with internal and external resources to scope, execute, and translate findings into engineering action.
• →Define and maintain secure development standards and patterns that engineering teams can adopt, covering areas such as authentication, authorization, API security, and data-handling.
• →Bridge engineering and the external security team, translating security requirements into engineering priorities and engineering constraints into security strategy, ensuring both sides operate with shared context and mutual accountability.
• →Support compliance and regulatory requirements including FedRAMP, NIST, and enterprise customer security obligations, working with the Compliance as Code team to ensure security controls are implemented and evidenced effectively.
• →Assess and address security risks introduced by AI features and integrations, including prompt injection, data exposure through AI interfaces, and third-party model risks, working closely with the Platform and AI team to ensure AI capabilities are built and deployed securely.
• →Build visibility into the security posture of the platform through metrics, dashboards, and reporting that inform engineering leadership and support customer and auditor conversations.

• 10 or more years of application security experience with a demonstrated track record of owning security programs and driving initiatives end to end across complex engineering organizations.
• Deep expertise across the application security domain including threat modeling, secure design review, vulnerability assessment, penetration testing, and secure development practices.
• Proven ability to operate as a solo practitioner or small team lead, setting priorities independently, managing competing demands, and delivering outcomes without close supervision.
• Strong experience influencing engineering teams without direct authority, building credibility through technical depth, clear communication, and practical solutions that fit the realities of product delivery.
• Experience integrating security into CI/CD pipelines and modern software delivery practices, with a shift left mindset that prioritizes prevention over detection.
• Solid understanding of cloud security principles and how application security intersects with infrastructure security in a cloud native environment.
• Strong written and verbal communication skills, able to articulate security risk, strategy, and tradeoffs clearly to engineering teams, leadership, and stakeholders including customers and auditors.

• Experience in regulated industries with compliance frameworks such as FedRAMP, NIST 800-53, CMMC, or SOC 2. Direct FedRAMP authorization or continuous monitoring experience is a strong plus.
• Background in enterprise SaaS companies where security scaled across multi-tenant architectures and high stakes regulatory environments.
• Experience supporting penetration tests, bug bounty programs, or third-party security assessments and translating findings into prioritized engineering roadmaps.
• Familiarity with GRC platforms or compliance automation tools, bringing domain context that makes security decisions more credible with customers.
• Familiarity with AI security considerations including securing LLM integrations, prompt injection risks, AI governance, and emerging regulatory expectations around AI in compliance contexts.
• Relevant certifications such as OSCP, CISSP, or CSSLP, valued as evidence of structured knowledge, not as a substitute for demonstrated engineering capability.

RegScale is only able to hire US Citizens