Senior Application Security Engineer
Unqork empowers enterprises to accelerate growth by rapidly building, testing, and running applications that are designed to be AI-native. Trusted by the world’s largest organizations in highly regulated industries, these applications become more secure over time while significantly reducing technical debt—allowing businesses to focus on innovation rather than maintenance. Unqork’s customers include Goldman Sachs, Marsh, BlackRock, and the U.S. Department of Health and Human Services.
At Unqork, we value inclusive and innovative thinkers who boldly challenge the status quo. We encourage you to apply!
Role Overview:
You will be part of a team that is passionate about securing Unqork's Commercial and FedRAMP technology stack.
You will champion application security best practices and drive their adoption across Unqork's engineering organizations. You will automate processes using policy as code. You'll leverage your deep technical expertise to oversee the identification and remediation of security vulnerabilities and misconfigurations. In this role, you will be responsible for identifying vulnerabilities, providing remediation guidance, and fostering a culture of Security by Design.
This is a technical, hands-on role requiring a mix of manual penetration testing, automated tool management, and deep code-level analysis. You will work side-by-side with our engineering teams to ensure our application and infrastructure remain resilient against modern threats.
The Impact U will make:
Vulnerability Management: Perform deep-dive manual penetration testing and security assessments on web applications to identify flaws beyond the reach of automated tools.
Tool Orchestration: Triage and manage results from SAST (Static), DAST (Dynamic), and SCA (Software Composition Analysis) tools, reducing false positives and prioritizing critical risks.
Code Review: Conduct thorough security code reviews of Node.js applications to identify logic flaws, injection vulnerabilities, and broken access controls.
Automation: Develop Python scripts to automate repetitive security tasks, integrate security checks into CI/CD pipelines, and enhance our internal security tooling.
Remediation & Partnership: Act as a security consultant for developers, tracking vulnerabilities from discovery through to successful remediation and verification.
Standardization: Stay current with the OWASP Top 10 and other industry frameworks to ensure our defense strategies evolve with the threat landscape.
What U bring:
Experience: 5+ years in Application Security, Pentesting, or Security Engineering.
Technical Core: Expert knowledge of the OWASP Top 10 and common web attack vectors (XSS, SQLi, SSRF, etc.). Must be able to explain the root cause and remediation of all OWASP vulnerabilities. Experience with testing AI/LLM applications, with a deep understanding of all OWASP LLM Top 10 vulnerabilities.
Development: Proficiency in reading and auditing Node.js code; ability to write automation scripts in Python.
Testing Tools: Experience with Burp Suite Professional, OWASP ZAP, and commercial SAST/DAST/SCA platforms.
Soft Skills: Excellent communication skills with the ability to explain complex security concepts to non-security stakeholders.
Compensation, Benefits, & Perks
💻 Work from home with a remote-first community
🏝 Unlimited PTO (and the encouragement to use it)
📝 Student loan payback program
🏥 100% employer-covered medical, dental, and vision options available to you and your dependents
💸 Flexible Spending Account (FSA)
🏠 Monthly stipend toward your WFH setup, vacation, development and more
💰 Employer-sponsored 401(k) with contribution match
🏋🏻♀️ Subsidized ClassPass Membership
🍼 Generous Paid Parental Leave
💲 Hiring Ranges:
Tier 1: $129,600 - $160,000 base salary
Tier 2: $116,640 - $144,000 base salary
Unqork employs a market-driven approach to establish compensation ranges. In addition to a base salary, employees may also be eligible to receive a target incentive and company equity in the form of stock options.
An employee’s compensation within the range provided above depends on a variety of factors including, but not limited to, their location, role, skillset, level of experience, and similar peer salaries.
As a remote-first company, Unqork incorporates a geographic differential into our compensation structure, depending on the candidate’s location. We utilize a tiered system—Tier 1 and Tier 2—to accurately reflect local market rates and ensure our compensation packages are both fair and competitive.
Our geographic tiers are defined as follows:
Tier 1: New York Metro, Seattle Metro, San Francisco Bay Area
Tier 2: All other US and US territory locations
Unqork embraces a culture of security and privacy awareness by consistently safeguarding sensitive information, adhering to company policies, and actively participating in training and initiatives to protect our data and the privacy of our stakeholders.
Unqork is an equal opportunity employer. We will consider all qualified applicants without regard to race, color, nationality, gender, gender identity or expression, sexual orientation, religion, disability or age.
#LI-TB1
About the job
Apply for this position
Senior Application Security Engineer
Unqork empowers enterprises to accelerate growth by rapidly building, testing, and running applications that are designed to be AI-native. Trusted by the world’s largest organizations in highly regulated industries, these applications become more secure over time while significantly reducing technical debt—allowing businesses to focus on innovation rather than maintenance. Unqork’s customers include Goldman Sachs, Marsh, BlackRock, and the U.S. Department of Health and Human Services.
At Unqork, we value inclusive and innovative thinkers who boldly challenge the status quo. We encourage you to apply!
Role Overview:
You will be part of a team that is passionate about securing Unqork's Commercial and FedRAMP technology stack.
You will champion application security best practices and drive their adoption across Unqork's engineering organizations. You will automate processes using policy as code. You'll leverage your deep technical expertise to oversee the identification and remediation of security vulnerabilities and misconfigurations. In this role, you will be responsible for identifying vulnerabilities, providing remediation guidance, and fostering a culture of Security by Design.
This is a technical, hands-on role requiring a mix of manual penetration testing, automated tool management, and deep code-level analysis. You will work side-by-side with our engineering teams to ensure our application and infrastructure remain resilient against modern threats.
The Impact U will make:
Vulnerability Management: Perform deep-dive manual penetration testing and security assessments on web applications to identify flaws beyond the reach of automated tools.
Tool Orchestration: Triage and manage results from SAST (Static), DAST (Dynamic), and SCA (Software Composition Analysis) tools, reducing false positives and prioritizing critical risks.
Code Review: Conduct thorough security code reviews of Node.js applications to identify logic flaws, injection vulnerabilities, and broken access controls.
Automation: Develop Python scripts to automate repetitive security tasks, integrate security checks into CI/CD pipelines, and enhance our internal security tooling.
Remediation & Partnership: Act as a security consultant for developers, tracking vulnerabilities from discovery through to successful remediation and verification.
Standardization: Stay current with the OWASP Top 10 and other industry frameworks to ensure our defense strategies evolve with the threat landscape.
What U bring:
Experience: 5+ years in Application Security, Pentesting, or Security Engineering.
Technical Core: Expert knowledge of the OWASP Top 10 and common web attack vectors (XSS, SQLi, SSRF, etc.). Must be able to explain the root cause and remediation of all OWASP vulnerabilities. Experience with testing AI/LLM applications, with a deep understanding of all OWASP LLM Top 10 vulnerabilities.
Development: Proficiency in reading and auditing Node.js code; ability to write automation scripts in Python.
Testing Tools: Experience with Burp Suite Professional, OWASP ZAP, and commercial SAST/DAST/SCA platforms.
Soft Skills: Excellent communication skills with the ability to explain complex security concepts to non-security stakeholders.
Compensation, Benefits, & Perks
💻 Work from home with a remote-first community
🏝 Unlimited PTO (and the encouragement to use it)
📝 Student loan payback program
🏥 100% employer-covered medical, dental, and vision options available to you and your dependents
💸 Flexible Spending Account (FSA)
🏠 Monthly stipend toward your WFH setup, vacation, development and more
💰 Employer-sponsored 401(k) with contribution match
🏋🏻♀️ Subsidized ClassPass Membership
🍼 Generous Paid Parental Leave
💲 Hiring Ranges:
Tier 1: $129,600 - $160,000 base salary
Tier 2: $116,640 - $144,000 base salary
Unqork employs a market-driven approach to establish compensation ranges. In addition to a base salary, employees may also be eligible to receive a target incentive and company equity in the form of stock options.
An employee’s compensation within the range provided above depends on a variety of factors including, but not limited to, their location, role, skillset, level of experience, and similar peer salaries.
As a remote-first company, Unqork incorporates a geographic differential into our compensation structure, depending on the candidate’s location. We utilize a tiered system—Tier 1 and Tier 2—to accurately reflect local market rates and ensure our compensation packages are both fair and competitive.
Our geographic tiers are defined as follows:
Tier 1: New York Metro, Seattle Metro, San Francisco Bay Area
Tier 2: All other US and US territory locations
Unqork embraces a culture of security and privacy awareness by consistently safeguarding sensitive information, adhering to company policies, and actively participating in training and initiatives to protect our data and the privacy of our stakeholders.
Unqork is an equal opportunity employer. We will consider all qualified applicants without regard to race, color, nationality, gender, gender identity or expression, sexual orientation, religion, disability or age.
#LI-TB1