Anthropic is a public benefit corporation dedicated to creating reliable and beneficial AI systems. They are seeking a Staff Application Security Engineer to lead security due diligence and integration for acquisitions, formalizing the security playbook and automating processes to ensure the security of acquired systems. This role combines M&A security focus with core application security responsibilities, requiring collaboration across multiple teams and stakeholders.
Responsibilities:
- Lead pre-close security due diligence on prospective acquisitions — coordinate external penetration testing, threat-model the target's architecture, assess security controls, and deliver the security risk readout for leadership ahead of close and integration planning
- Drive post-close security integration — stand up static and dynamic analysis coverage on acquired codebases, track high- and critical-severity remediation to closure, fold acquired assets into bug bounty scope, and onboard repositories to Anthropic's automated vulnerability remediation and reporting systems
- Coordinate adjacent security engineering teams (supply chain, cloud, corporate security, detection & response) on their portions of each integration
- Work across a wide set of stakeholders on every deal — corporate development, legal, security leadership, and the engineering teams inheriting acquired systems internally; engineering and security counterparts at the target company externally — translating between them and keeping the security workstream legible to all of them
- Formalize and scale Anthropic's M&A security playbook — risk-scoring model, diligence runbook, integration checklist — and turn as much of it as possible into Claude-powered tooling rather than manual process
- Share the team's operational on-run rotation (bug bounty escalations, launch consults, incident response), swapping out during periods of active deal work
- Contribute to core AppSec projects between deals — secure design reviews, threat modeling for agentic systems, and the team's security automation roadmap
Requirements:
- Hands-on application and infrastructure security experience, including cloud and containerized environments
- Demonstrated ability to rapidly assess an unfamiliar codebase or architecture and produce a clear, prioritized risk assessment for a non-security audience
- Production-quality coding ability in at least one of Python, Go, Rust, or TypeScript
- Practical threat-modeling and vulnerability-identification skills — you've found and reasoned about real bugs in real systems
- Comfort operating with high autonomy, ambiguity, and tightly-held confidential context
- Clear written and verbal communication across varied audiences — executives, legal and corporate development partners, and engineering counterparts at an acquired company
- Minimum education: Bachelor's degree or an equivalent combination of education, training, and/or experience
- Required field of study: A field relevant to the role as demonstrated through coursework, training, or professional experience
- Minimum years of experience: Years of experience required will correlate with the internal job level requirements for the position
- 7+ years in application security, security consulting, or security architecture
- Prior M&A security due diligence, third-party security assessment, or technical due diligence experience
- Experience standing up or scaling SAST/DAST, bug bounty, or vulnerability management coverage across multiple codebases
- Track record of building security automation or tooling rather than relying solely on manual review
- Familiarity with using LLMs as a core part of your security workflow
- Experience securing agentic, code-execution, or LLM-integrated systems