Senior Security Engineer II, Application Security (Remote Eligible)

Smartsheet has been helping teams achieve their goals for over 20 years, creating tools that empower automation and insights. They are seeking a Senior Security Engineer II for their Application Security team, responsible for securing AI-integrated systems and advancing application security reviews, while also improving CI/CD pipeline security and managing bug bounty operations.

Responsibilities:

• Secure AI Systems and Use AI to Scale Security: Conduct security reviews and threat modeling of AI-integrated product features (LLM workflows, agentic pipelines, model APIs) with working knowledge of AI-specific risk classes including prompt injection, model manipulation, and runtime control gaps; and in parallel, deploy AI and automation as a force multiplier by building tooling, pipelines, and integrations that extend the team's reach, accelerate triage, and drive risk visibility at a scale manual effort alone cannot achieve
• Deliver Application Security Reviews: Own end-to-end security assessments for high-risk features and services (threat modeling, architecture review, targeted code review, and security testing) embedded in the product development lifecycle. Work directly with engineering teams to surface and close risk before it ships, with enough technical credibility to influence design decisions, not just document findings
• Advance CI/CD Pipeline Security: Operate and evolve the security scanning controls embedded in Smartsheet's GitLab pipelines (SAST, SCA, secrets, IaC scanning). Tune tools, engage teams on findings, and build automation that reduces false positive burden and improves how developers experience security feedback
• Run Bug Bounty Operations: Serve as the expert validation layer for Smartsheet's bug bounty program, reproducing and assessing complex, multi-step researcher submissions requiring authenticated context and deep platform knowledge, making defensible severity and payout decisions, and owning program operations including researcher engagement, metrics, and continuous improvement

Requirements:

• 8+ years in application security, with a track record of owning complex, multi-capability work in a product security or AppSec engineering role
• Fluent in one or more modern languages (Java, Python, TypeScript/JavaScript, Go, Ruby, or equivalent); you identify security-relevant patterns without relying on tooling and write automation that others adopt
• Hands-on experience securing AI-integrated applications (LLM systems, agentic workflows, model APIs) and demonstrated experience deploying AI and automation to scale security functions or extend team reach
• Threat modeling, architecture review, and code review for complex SaaS features; you produce findings engineering teams can act on and carry enough technical credibility to influence design decisions, not just document them
• Independent, hands-on validation of complex, multi-step authenticated vulnerabilities; you confirm what scanners flag and find what they miss
• Operator, active researcher, or both; direct experience with triage, severity calibration, and researcher communication
• Working knowledge of SAST, SCA, secrets, and IaC scanning in modern pipelines, with experience engaging teams on findings and improving signal quality
• Working knowledge of AWS, GCP, or Azure sufficient to tie application-layer risk to the infrastructure it runs on; you understand where the application ends and the cloud begins
• Legally eligible to work in the U.S. on an ongoing basis
• BS or MS in Computer Science, a related field, or equivalent industry experience
• Experience with agentic security, MCP security, or adversarial evaluation of autonomous AI systems
• GitLab CI/CD experience, including security policy pipeline configuration and scanning job integration
• Active bug bounty researcher with published findings, CVE credits, or hall of fame recognition
• Penetration testing program management experience: scope definition, vendor coordination, and finding validation with third-party testers