Senior Lead Application Security Engineer
Senior Lead Application Security Engineer
Full-time
We are looking for an Application Security Engineer to join the Agentic Platform pillar, working within the Cloud Platform team. This team owns the secure, governed foundation that enables all of Copperleaf’s R&D teams to build and ship faster. In this role you will embed security directly into the platform and across every CI/CD pipeline, shifting our posture from reactive to proactive.
You will bring traditional application security depth into our Dev Sec Ops culture and, critically, use AI agents to continuously and autonomously improve our security posture. Our operating premise is simple: agentic attacks require agentic defense. You will build the agents, skills, and guardrails that detect, triage, and remediate security risk at machine speed, staying ahead of threats rather than responding to them after the fact.
This is a hands‑on, implementation‑first role: you will personally build, ship, and operate the security changes you design, working directly in the code and the pipelines rather than advising from the sidelines.
Key Responsibilities
- Embed application security into the Cloud Platform and across all CI/CD pipelines, making secure-by-default the path of least resistance for every R&D team.
- Design, build, and operate AI‑driven security agents that proactively scan, triage, and remediate vulnerabilities across source code, dependencies, containers, and infrastructure‑as‑code, turning point‑in‑time reviews into continuous, autonomous coverage.
- Establish secure software development lifecycle (SSDLC) practices, threat modeling, and secure‑coding standards, and integrate automated enforcement (SAST, SCA, DAST, secrets scanning, IaC scanning) as native pipeline gates rather than bolt‑on checks.
- Lead the security of our own agentic systems: defend against prompt injection, tool/MCP abuse, data exfiltration, excessive agency, and supply‑chain risk in line with frameworks such as the OWASP Top 10 for LLM Applications and MITRE ATLAS.
- Drive proactive vulnerability management: remediate HIGH and CRITICAL CVEs across platform infrastructure and container images in line with contractual and compliance commitments, and automate the toil out of it.
- Partner with engineering teams to harden Azure Kubernetes Service (AKS) workloads, identity and access (Keycloak, Azure AD, Managed Identities, workload identity), network segmentation, and secrets management.
- Contribute security evidence and controls to compliance programs (SOC 2, ISO 27001, Cyber Insurance), and automate evidence collection and continuous control monitoring with agentic tooling.
- Define and maintain security runbooks, detection logic, and incident response procedures, and build the agents that execute and accelerate them.
- Act as the security skill set within the platform team raising the bar through code review, pairing, and sharing pragmatic, developer‑friendly guidance.
- Contribute to improving the Agentic Operating Model through development of security‑focused agent skills, prompts, and tooling that other teams can reuse.
Technical Focus Areas
- Application security fundamentals: secure SDLC, threat modeling, OWASP Top 10, secure code review, and remediation across multiple languages and stacks.
- Agentic and AI security: securing LLM‑ and agent‑based systems (prompt injection, tool/MCP security, sandboxing, guardrails), plus building autonomous agents that perform security work. OWASP Top 10 for LLMs and MITRE ATLAS a strong asset.
- Dev Sec Ops and pipeline security with Azure Dev Ops: SAST, SCA, DAST, secrets and IaC scanning, SBOM generation, container signing and attestation, and pipeline access controls.
- Security scanning and tooling:
Mend (SCA/SAST), Azure Defender for Cloud, and MDR/SOC platforms. - Hands‑on with modern agentic and AI‑security tooling: agentic coding and security assistants (e.g. Claude Code with custom agent skills and MCP), AI‑assisted code analysis and autofix (e.g. Semgrep, Snyk / Deep Code AI, Git Hub Copilot Autofix / CodeQL), LLM and agent red‑teaming (e.g. garak, Microsoft PyRIT, Promptfoo), and runtime guardrails and model supply‑chain protection (e.g. Lakera Guard,…
To Search, View & Apply for jobs on this site that accept applications from your location or country, tap here to make a Search: