Associate Director - Lead Application Security

We are seeking an Associate Director, Lead Application Security with 10+ years of deep technical experience to own and elevate application security across a high-velocity, AI-first organization.

You will be the authoritative voice and technical leader for all things application security bridging strategy with hands-on execution, partnering deeply with Engineering, Product, Platform, and Data Science teams to embed secure-by-design principles into every layer of our products without compromising speed or innovation.

This is a player-coach role: you will set the vision, drive the strategy, build and lead a lean team of AppSec engineers, and still roll up your sleeves to perform code reviews, design patterns, and threat models yourself.

The Impact

• Directly protect next-generation AI products used by millions.
• Define and scale the application security program for a rapidly growing AI company.
• Equity in a high-growth, mission-driven organization.
• Flexible, remote-first culture with global reach.
• Work alongside elite AI researchers, platform engineers, and product leaders.
• Shape industry-leading practices in secure AI application development.

Key Responsibilities

• Application Security Strategy & Roadmap: Own the end-to-end AppSec program from secure SDLC to runtime protection and align it with business velocity and risk appetite.
• Threat Modeling Leadership: Institutionalize systematic threat modeling across all product teams; personally lead modeling for flagship AI products and high-risk features.
• Secure Code & Design Patterns: Author, maintain, and evangelize production-grade secure coding guidelines, libraries, and reference architectures (API security, authentication, input validation, LLM-specific risks, etc.).
• Tooling & Automation: Select, deploy, and continuously improve the AppSec toolchain (SAST, DAST, SCA, IAST, runtime protection, secret scanning, etc.) deeply integrated into CI/CD pipelines.
• Penetration Testing & Red Team Collaboration: Plan and execute advanced application pen tests; scope and oversee external red team engagements focused on business logic, AI-specific attacks, and prompt injection.
• Incident Response & Forensics Support: Serve as the primary AppSec escalation point during security incidents affecting applications.
• Team Building & Mentorship: Hire, grow, and lead a high-performing application security team; mentor engineers organization-wide on secure development practices.
• Standards & Compliance: Drive alignment with OWASP ASVS, OWASP Top 10 (including LLM Top 10), NIST SSDF, and emerging AI security regulations.

Required Qualifications

• 10+ years of hands-on application security experience in fast-paced product environments.
• Proven track record of building and leading AppSec programs at scale (SaaS, consumer, or AI companies strongly preferred).
• Expert-level knowledge of web, mobile, and API security; deep understanding of modern authentication/authorization (OAuth 2.1, OIDC, JWT, mTLS, SPIFFE).
• Strong coding/scripting skills (Python, Go, TypeScript, or similar) with experience writing or auditing production code.
• Extensive experience integrating and tuning AppSec tools in CI/CD (GitHub Actions, GitLab, Jenkins, etc.).
• Demonstrated ability to influence engineering culture without gatekeeping velocity.
• Relevant certifications preferred: OSCP, CASE, CISSP-ISSAP, CSSLP, or equivalent.

Preferred Skills

• Hands-on experience securing LLM-powered applications (prompt injection, jailbreaks, model inversion, RAG security, etc.).
• Familiarity with OWASP Top 10 for Large Language Models and emerging AI attack taxonomies.
• Prior experience in bug bounty program management or offensive security leadership.
• Contributions to open-source security tools or public research.

Who You Are

• Builder & leader: You scale programs through people and automation, not bureaucracy.
• Collaborative influencer: Engineers trust you because youve shipped code and found real bugs.
• Hands-on to the end: You still dive into pull requests and exploit code when needed.
• AI-native: You understand how LLMs change the attack surface and defense paradigms.
• Pragmatic risk owner: You know when to say yes with guardrails instead of just no.