Application Security Engineer
WRITER is seeking an experienced Application Security Engineer to join our team and help secure the next generation of AI and AGI applications. If you live and breathe AppSec, thrive on DevSecOps automation, and get your kicks from red team operations, this is the role for you.
At WRITER, security isn't an afterthought – it's a fundamental part of our DNA. As we push the boundaries of AI innovation, we need a security engineer who can think like an attacker, build security into our agile development pipelines, and relentlessly test our defenses.
In this role, you'll be a key player in integrating security directly into our CI/CD workflows, identifying and exploiting vulnerabilities before malicious actors can, and collaborating with cross-functional teams to protect our groundbreaking AI solutions. This is a high-impact, deeply technical role for someone who thrives at the intersection of security engineering, automation, and offensive security.
If you're passionate about proactively securing complex applications and turning red team findings into real-world security improvements, we encourage you to apply!
Responsibilities: Own It!
Pipeline Security Champion: Build and maintain security within the CI/CD pipeline (pre-deployment phase), including automated vulnerability scanning, container scanning, and custom security gates.
CI/CD Security Architect: Design and implement security gates and checks within our CI/CD pipelines.
Application Penetration Testing Guru: Conduct in-depth penetration testing of our AI applications, APIs, and model endpoints, simulating real-world attacks to validate our defenses.
Container Security Specialist: Implement and manage container scanning during the build phase to ensure secure container images.
Vulnerability Hunter: Discover, analyze, and report application-layer vulnerabilities, providing actionable remediation advice.
What You Won't Own (But Will Influence):
Deployment pipeline security (Cloud/Infrastructure owns).
Infrastructure-as-code security (Cloud/Infrastructure owns).
Production runtime security (Cloud/Infrastructure owns).
AI model security research (AI Security owns).
Key Collaborations:
Cloud/Infrastructure: Seamless handoff at the build/deploy boundary. You secure the build; they secure the deployment.
AI Security: Leverage their threat models for AI-specific risks and implement corresponding tests in CI/CD.
Detection & Response: Share your proactive vulnerability findings to enhance their ability to detect attacks in production.
Day-to-Day Activities:
Embed Security in the Build Pipeline: Own pre-deployment application security, including automated vulnerability scanning, container scanning, and custom security gates in CI/CD.
Conduct Advanced Application Penetration Testing: Perform comprehensive testing on AI applications, APIs, and model endpoints, simulating adversarial attacks to validate controls.
Automate Security Testing at Scale: Develop scripts, tools, and frameworks for continuous security assessment, including SAST, DAST, and SCA integration.
Lead Application-Layer Red Team Exercises: Plan and execute engagements that mimic sophisticated adversary techniques targeting AI systems.
Hunt and Validate Vulnerabilities: Discover, reproduce, and chain vulnerabilities into realistic attack paths, providing actionable remediation guidance.
Advise on Security Architecture: Review designs for weaknesses, create secure patterns, and identify systemic issues across applications.
Collaborate Across Boundaries: Partner with Cloud/Infrastructure on deployment/runtime security, AI Security on threat modeling, and Detection & Response on defensive validation.
Do You Have What It Takes?
Required Experience:
8+ years in application security, with a strong focus on hands-on testing.
5+ years conducting penetration tests and security assessments.
Proven record of finding and exploiting critical vulnerabilities.
Deep experience integrating security into DevOps workflows and CI/CD pipelines.
Strong programming skills for exploit development and security automation.
Expertise in web application and API security, including cloud-native architectures.
Technical Expertise:
Proficient with penetration testing tools (e.g., Burp Suite, OWASP ZAP, custom scripts).
Skilled in SAST, DAST, and SCA tools.
Strong understanding of application-layer attack techniques and exploitation.
Experience with supply chain security and build pipeline hardening.
Execution & Impact:
Demonstrated ability to identify vulnerabilities others miss.
Proven track record of automating security testing in fast-paced development cycles.
Ability to translate red team findings into concrete defensive measures.
History of effective collaboration with engineering teams.
Bonus Points:
Background in software development or DevOps.
Experience testing AI/ML applications.
Security certifications such as OSCP, OSWE, or GWAPT.
Published security research or CVEs.
Experience with purple team operations.
Benefits & Perks (UK Full-Time Employees):
Generous PTO, plus company holidays
Comprehensive medical and dental insurance
Paid parental leave for all parents (12 weeks)
Fertility and family planning support
Early-detection cancer testing through Galleri
Competitive pension scheme and company contribution
Annual work-life stipends for:
Home office setup, cell phone, internet
Wellness stipend for gym, massage/chiropractor, personal training, etc.
Learning and development stipend
Company-wide off-sites and team off-sites
Competitive compensation and company stock options