Key skills
Application SecurityPenetration TestingVulnerability ManagementSecure Development PracticesThreat ModelingAI/ML SecurityPythonScripting LanguagesKotlinAIMLLLMAgenticGraphQLgRPCAWSKubernetesCommunicationOWASP
About this role
Brex is the intelligent finance platform that enables companies to spend smarter and move faster in more than 200 markets. As an Application Security Engineer, you will contribute to finding and responding to security vulnerabilities across the Brex platform, participating in code reviews, penetration testing, and collaborating with various teams to enhance security practices.
Responsibilities:
- Identify vulnerabilities across common vulnerability classes (e.g., OWASP Top 10), document findings clearly, and communicate risk to drive remediation efforts
- Participate in penetration testing and design reviews alongside senior engineers, contributing to the identification of vulnerabilities and insecure designs
- Contribute to internal tooling and automation efforts that support SAST and DAST testing of the Brex platform and promote secure development practices
- Collaborate with engineering and product teams to support the design of secure product features
- Actively contribute to a culture of security awareness through knowledge sharing and peer learning
Requirements:
- 4+ years of work experience in Application Security or a related role
- Demonstrated ability to find and document vulnerabilities in complex systems, with clear communication of business risk
- Hands-on experience with a subset of secure development activities, such as code review, threat modeling, or penetration testing
- Experience identifying security risks in AI/ML systems — such as prompt injection, model manipulation, or data poisoning — through work experience, personal projects, CTFs, or bug bounties
- Familiarity with agentic workflows and the ability to reason about attack surfaces introduced by LLM-powered features
- Knowledge of Python or scripting languages to automate tasks and build tooling
- Collaborative mindset paired with strong written and verbal communication skills
- Experience with Kotlin, gRPC, GraphQL, Kubernetes
- Previous experience as a software engineer
- Experience with securing distributed systems in AWS and cloud environments
- Experience with web application security reviews
- Contributions to the wider technical community — open source, public research, CTF participation, blogging, CVEs, or presentations
- Experience submitting to bug bounty or responsible disclosure programs
- Published AI security research or contributions to AI security frameworks