The Role
The Application Security Engineer will identify security gaps, build tooling, conduct code reviews, and drive vulnerability remediation, ensuring secure product delivery.
Summary Generated by Built In
ABOUT RETOOL
Nearly every company in the world runs on custom software for critical operations like tracking performance metrics, handling customer support workflows, building admin dashboards, and countless other processes you might not have even thought of. But most companies don't have adequate resources to properly invest in these tools, leading to a lot of old and clunky internal software or, even worse, users still stuck in manual and spreadsheet flows.
At Retool, we’re building the first enterprise AppGen platform: software that transforms natural language into production-ready code, integrates directly with business data, and meets the highest standards of security and governance. AI is redefining what it means to build software—and who gets to build it. The definition of “developer” now includes analysts, operators, and domain experts creating solutions directly. As the pool of builders widens, so does the complexity of what they need to build. The opportunity is enormous, but so is the challenge of enabling this larger community to build production-grade software safely. That means AI that understands real business data, enforces enterprise policies automatically, and empowers teams to create once and reuse everywhere with shared, trusted components.
Over 100 million hours of work has been automated by developers and domain experts using our platform, freeing them to focus on creative problem-solving and strategic initiatives that drive real business value. The people closest to knowing what needs to be built can now safely create custom solutions within enterprise guardrails. And that's a mission worth striving for.
Let's build the future together!
WHY WE’RE LOOKING FOR YOU
Retool handles our customers’ most sensitive data and provides a platform where they write and execute arbitrary code. The security surface that comes with that is large, nuanced, and genuinely interesting. As the platform grows and our customers’ trust in it deepens, the scope and ambition of our security program have grown with it.
We’re looking for an Application Security Engineer who combines deep security fundamentals with real engineering execution. This is not a role for someone who audits from a distance or advises without getting their hands dirty. You’ll be in the code, spotting systemic patterns, and building the tooling and solutions that address them at scale. You’ll recognize when a one-off fix isn’t enough, synthesize what you’re seeing in the codebase, and work with engineering teams to make secure outcomes the default rather than the exception.
You’ll need to understand the product deeply to secure it well: what customers build on Retool, where code executes, and how data flows. The security problems worth solving here live at the intersection of platform capability and customer trust, and your first team is the business, not just security.
We’re also actively thinking about what AI-accelerated development means for application security, from how to use AI to enhance and scale our own security work to managing the risk that comes with developers shipping more code, faster, with different review patterns than ever before. We’re already running experiments in this space, including using AI to find and fix vulnerabilities at scale, automating dependency management, and rethinking what security teams can actually accomplish with the right tooling and ambition. If you want to work out what AI genuinely changes about security engineering practice - in real conditions, not in theory - this role is for you.
IN THIS ROLE, YOU WILL:
- Identify systemic security gaps in our codebase and engineering workflows, and work with engineering teams to design and ship durable solutions; you’ll drive solutions, not just surface problems
- Build security tooling, automation, and code-level controls that address classes of vulnerabilities, including custom linters, static analysis rules, and automated checks, shifting the cost of catching issues left rather than handling them one at a time or after they’ve reached production
- Conduct in-depth code reviews and security design reviews for significant product initiatives, with the technical depth to engage meaningfully with architectural tradeoffs rather than just flag issues for others to resolve
- Drive threat modeling and security assessments for new features, and translate security requirements into practical engineering guidance that developers can actually act on
- Contribute to the team’s evolving approach to security as AI-assisted development scales internally, including how faster and higher-volume code production changes how we find, prioritize, and fix risks
- Triage, track, and drive remediation of vulnerabilities with product engineering teams, and contribute to our penetration testing and bug bounty programs
THE SKILLSET YOU’LL BRING:
- 5+ years of hands-on experience in application security and security engineering: you’ve built things, not only assessed them, and your background is not mainly consulting, audit, or compliance work
- The ability to operate independently with good judgment in a fast-moving environment: you prioritize well by understanding the needs of the business and our shared objectives, make calls with incomplete information, and know when to move fast versus when to slow down and get it right, or escalate and ask for help
- Communication that earns trust: you can make security legible to engineers without being preachy, and you measure your impact by how well you’ve supported the business, not by how many issues you catalogued
- A track record of shipping security tooling or automation that improved things for more than one team
- Genuine engineering depth: you can read, reason about, and review code at the level needed to find real bugs and understand their root causes, not just pattern-match to a checklist
- Comfort working in TypeScript and Python: Retool’s platform is built in TypeScript and our security tooling leans on Python, you’ll need to be productive in both and not just conversant
- Strong AppSec fundamentals: threat modeling, secure code review, a working understanding of common vulnerability classes and, importantly, how to address them durably rather than symptomatically
- A pragmatic, signal-oriented relationship with AI tooling: you reach for it where it genuinely sharpens your work, you’re skeptical where it doesn’t, and you’re thinking about what developer-side AI adoption means for how security risk compounds at scale
NICE TO HAVE:
- Offensive security experience like bug bounty, CTF participation, redteam, or pentesting work
- Experience building or contributing to SAST pipelines, custom static analysis rules, or automated security testing infrastructure
- Prior experience at a startup or high-growth scaleup, where security programs aren’t fully pre-defined and priorities shift
For candidates based in the United States, the pay range(s) for this role is listed below and represents base salary range for non-commissionable roles or on-target earnings (OTE) for commissionable roles. This salary range may be inclusive of several career levels at Retool and will be narrowed during the interview process based on a number of factors such as (but not limited to), scope and responsibilities, the candidate’s experience and qualifications, and location.
Additional compensation in the form(s) of equity and/or commission are dependent on the position offered. Retool provides a comprehensive benefit plan, including medical, dental, vision, and 401(k). Pay and benefits are subject to change at any time, consistent with the terms of any applicable compensation or benefit plans.
The base pay range for this role is $231,900 – $318,250 per year.
Retool offers generous benefits to all employees and hybrid work location. For more information, please visit the benefits and perks section of our careers page!
Retool is currently set up to employ all roles in the US and specific roles in the UK. To find roles that can be employed in the UK, please refer to our careers page and review the indicated locations.
Skills Required
- 5+ years of hands-on experience in application security and security engineering
- The ability to operate independently with good judgment in a fast-moving environment
- Communication that earns trust with engineers
- A track record of shipping security tooling or automation
- Genuine engineering depth to read and review code
- Comfort working in TypeScript and Python
- Strong AppSec fundamentals
- A pragmatic relationship with AI tooling
Am I A Good Fit?
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.
Success! Refresh the page to see how your skills align with this role.
The Company
What We Do
Retool is a development platform for building business software. Users can visually design apps that interface with any database or API, and switch to code to customize how their apps look and work. With Retool, developers ship more apps and move their business forward—all in less time. Thousands of teams at companies like Amazon, DoorDash, Peloton, and Brex collaborate around custom-built Retool apps to solve internal workflows. We're just getting started and growing quickly—join us!
Why Work With Us
Retools are solution drivers—whether fixing a button misalignment or enabling customers to build with the newest AI technologies, we wear many hats and act like owners. Our small teams work on big problems, pushing hard and moving quickly to create outsized impact. We hold each other accountable and celebrate together when we get it right. Join us!
Gallery
