Principal / Staff Application Security Engineer

The Role 

AiDASH protects the critical infrastructure that delivers power to tens of millions of people. As we embed GenAI more deeply into our SaaS products (RAG pipelines, agentic / MCP services) and roll out AI-assisted development internally, the threat landscape is shifting fast. Autonomous adversaries, prompt injection, model exfiltration, and vibe-coded internal apps spun up by non-engineers are now part of the daily attack surface. 

We're hiring a Principal or Staff Application Security Engineer to be our deepest technical voice on security. In the role, you'll own our AppSec program and lead AI/LLM security hardening across the platform. You'll embed security into every layer of the SDLC (from PR to production), and be the person who figures out what "secure agentic AI" actually looks like in a product that ships to critical infrastructure operators. You will report to senior leadership and work closely with Platform, ML, and DevOps across our US and India teams.

How you'll make an impact:

AppSec & DevSecOps

• Own and mature the AppSec toolchain across CI/CD — SAST, DAST, SCA, secrets scanning, and IaC policy-as-code
• Champion shift-left security: threat modeling and secure-design reviews embedded in PRs and sprint planning, not bolted on at release
• Run SBOM/AIBOM tooling; enforce risk-tiered dependency controls; extend SLSA practices to model artifacts
• Write and enforce IaC policy-as-code (OPA/Rego, Checkov, Kyverno, or equivalent) in live pipelines

AI & LLM Security

• Harden production GenAI deployments on AWS (managed model APIs, agentic/MCP services) — IAM, VPC routing, prompt-layer guardrails, output filtering, rate and cost controls
• Codify OWASP LLM Top 10 and MITRE ATLAS controls into the SDLC; introduce LLM eval-as-gate in CI
• Govern internal AI-assisted developer tooling — DLP for what egresses to external model providers, sensitive-data discovery in prompts, acceptable-use telemetry
• Stand up controls for shadow AI and vibe-coded apps: discover, classify, gate with sane defaults, and bring under the SDLC

Cloud Security (AWS)

• Harden AWS posture across accounts — Organizations, SCPs, Control Tower — and mature Kubernetes security (admission controllers, runtime visibility)
• Operate CSPM/CNAPP tooling; own vulnerability management across containers and IaC
• Support zero-trust privileged access for production infra, databases, and Kubernetes (in partnership with DevOps)

Compliance Support

• Support the company’s path to ISO 27001 and ISO 42001 certifications in 2027 — gap assessments, control sets, evidence pipeline
• Maintain SOC 2 Type II posture in partnership with the compliance team
• Translate emerging AI regulation (EU AI Act, NIST AI RMF, utility-sector mandates) into concrete engineering requirements

What we're looking for:

Minimum Qualifications

• 8+ years in security engineering with meaningful AppSec depth — you have shipped and operated SAST/DAST/SCA (Semgrep, CodeQL, Snyk, Veracode, or equivalent) at production scale
• Hands-on experience securing production LLM or agentic AI deployments — IAM, guardrails, prompt injection controls, eval gating. RAG-demo experience alone does not meet the bar
• Cloud-native security experience in AWS — comfortable with Organizations/SCPs, Kubernetes security, container hardening, and CSPM tooling
• IaC policy-as-code in a live pipeline (OPA/Rego, Checkov, Kyverno, tfsec, or equivalent)
• SBOM/AIBOM tooling at production scale (Interlynk, Anchore, Dependency-Track, or equivalent)
• Compliance fluency: has personally contributed to a SOC 2 Type II or ISO 27001 audit — can read a control map without flinching
• SF Bay Area based; able to work hybrid (2 days/week in Palo Alto)

Preferred Qualifications 

• Hands-on MCP work — design, hardening, or auth — even early-stage
• LLM eval-as-gate in CI (Promptfoo, Garak, DeepEval, Giskard) and AI red-teaming experience
• Prompt-layer DLP and AI runtime guardrails (Nightfall, Lakera Guard, Cyberhaven, Harmonic Security, Protect AI, NVIDIA NeMo Guardrails)
• ISO 42001 familiarity; NIST AI RMF and EU AI Act high-risk system requirements
• Experience securing SaaS sold into regulated sectors (utilities, energy, financial services, healthcare)
• EDR/XDR operations experience (CrowdStrike, SentinelOne, Defender) — helpful but not the primary focus of this role
• Comfort working across US/India time zones with a distributed team
• Public signals: conference talks, open-source contributions in CI/CD, MCP, or LLM-deployment security

What you'll love:

• Comprehensive Medical, Dental, and Vision Coverage: 100% coverage for employees and 80% for their spouses and children 
• Health Reimbursement Account (HRA): 100% funded by AiDASH to cover medical deductibles 
• 401(k) Plan: Begin contributing after three months of employment to prepare for your future. Currently, no company match is offered 
• Parental Leave: Supportive parental leave with 16 weeks for primary caregivers and 4 weeks for secondary caregivers 
• Generous Vacation Policy: Accrue 20 vacation days per year, plus enjoy an additional flex holiday to celebrate whatever feels most important to you! 
• Winter Break: From December 25th through January 1st, we give everyone time off to recharge and enjoy time with family and friends! 

We are proud to be an equal-opportunity employer. We are committed to embracing diversity and inclusion in our hiring practices, and we promote a work environment where everyone, from any race, color, religion, sex, sexual orientation, gender identity, or national origin, can do their best work. 

We offer a competitive base pay range for this full-time position, which is between $210,000 and $270,000 per year. This range reflects the anticipated base salary for new hires.  In addition, this role is also eligible for an annual performance bonus and equity. We strive to ensure our compensation packages are equitable and aligned with industry standards. Your recruiter can share more about compensation during the hiring process.