AppSec Engineer

Our Engineering Standards at Karbon:

Balance Speed and Quality

Engineers are expected to balance delivery speed with a strong commitment to quality, meeting agreed timelines while producing reliable, maintainable, and well-tested solutions. Sound judgment in making trade-offs between velocity and long-term sustainability is essential.

Collaborate Effectively

Engineering is collaborative by default. Team members are expected to contribute constructively in design discussions, reviews, and planning, communicate clearly about progress and risks, and support shared team outcomes in both hybrid and distributed environments.

Build and Maintain Systems

Engineers are responsible for building new capabilities while maintaining and improving existing systems. This includes designing scalable solutions, reducing technical debt, supporting operational stability, and contributing to continuous improvement.

Operate with Autonomy

A high degree of autonomy is expected. Given clear objectives, engineers should independently translate problems into actionable technical approaches, proactively identify improvements, and continuously expand relevant technical expertise.

Ownership and Accountability

Ownership is fundamental. Engineers are accountable for the quality, performance, and customer impact of their work from design through post-release support, and are expected to follow through on commitments.

AI-Enabled Engineering

AI is reshaping how software is built, and we are committed to leveraging it as a force multiplier for creativity, impact, and capability. Engineers are expected to confidently apply strong technical fundamentals while embracing AI tools and approaches to enhance productivity, problem-solving, and innovation. Curiosity, adaptability, and enthusiasm for integrating AI into meaningful product development are essential.

Contribute to Team Culture

Engineers contribute positively to a culture of professionalism, transparency, low bureaucracy, and mutual respect, strengthening team performance through authenticity, curiosity, and collaboration.

Seeking a development & cloud focused AppSec Engineer to join our expanding security team.

The ideal candidate will have passion for AppSec, Cloud and AI. They will be a skilled communicator and relationship builder capable of promoting and building security practices across the organization and into our development processes.

AI is reshaping practices across the board and at Karbon we’re fully committed. We don’t see AI as a replacement but as a force multiplier. We’re looking for Security Engineers who are confident in network & security fundamentals, driven to grow, and excited by the challenges and opportunities AI brings.

What You’ll Own:

• Partner with different areas within Karbon - You will make sure security is embedded from the start from feature design and development to participating in design reviews and threat modelling.
• Balance Security and Delivery - You know how to balance delivery needs with security and can communicate security risks and issues to non technical stakeholders. You understand when it's important to push back, when to compromise and how to work with delivery teams to reach a great outcome.
• You keep up to date on the latest technologies and approaches - You are excited by the new developments such as AI bring to security but also understand the importance of security foundational practices such as good account hygiene, least privilege, attack surface reduction and MFA.
• Identify and assess security risks introduced by AI tools - You’ll assist with reviewing the risks of AI tooling usage & Integration and AI-generated code.
• Apply AI-assisted tooling to accelerate security work - you understand the impact AI can have and utilize it across many areas including triage, threat detection, code review, and documentation.
• Flexibility and confidence to work across multiple security domains - We’re a small team responsible for Security at a fast moving company and you’ll get exposure to many different security domains; you could be assisting with refining and investigating corporate IT security processes in the morning, reviewing a cloud hosted system after lunch and then tweaking detection rules!
• Work effectively as part of a team - Security is a team sport and you understand the need to build relationships and trust across the organization to enhance Karbon’s security posture. You are happy to answer questions and offer advice to teams that will reach out for your assistance.
• Own your work - You take pride in your work, feeling a deep sense of responsibility for the products we develop and ensuring we keep our customers' valuable data secure. This sense of ownership is paramount, and you share this commitment.
• Bring your passion and personality - Your creativity, curiosity, and authentic self make the team stronger. If you've worked in highly political environments, you'll find our culture, free from office politics and valuing openness and authenticity, a refreshing change.
• Help us measure improvement and steer our roadmap - Contribute to Security Metrics so we can track progress and feedback into our roadmap.

4+ years experience in a security or development role across most of the following:

• Collaborating with teams to review designs & implementations for security issues and embedding good security practices across software development
• Triaging issues and reports, assisting teams to remedy items and testing fixes
• Working with external penetration test companies to validate and prioritize findings
• Conducting risk and vulnerability assessments of web applications and APIs and third party suppliers and integrations
• Configuring and tuning SAST, SCA and DAST Tooling
• Working with build/deployment pipelines to incorporate security tooling (Github Actions or Azure Devops YAML based pipelines)
• Assisting with implementing security focused alerting and detections and automations
• Conducting and facilitating organizational & developer focused security training
• Assisting with operational security items such as EDR alerts and MDM
• Contributing to our security roadmap

In addition you’ll need:

• Strong communication skills (spoken and written) 
• Some of the following Languages/Frameworks: Microsoft .NET/C#, JavaScript (we use React and EmberJS frameworks and, Python)
• At least one cloud platform: Azure, AWS or GCP (we use Azure predominantly)
• Working knowledge of PowerShell or Bash and Python
• Working knowledge of at least one AI development tool e.g. Claude Code, GitHub Co-Pilot etc
• Portswigger Burp or similar
• Certifications such as Offsec OSCP & AWAE, GIAC, Burp Practitioner, PJPT, Microsoft/AWS development and cloud related are nice to have
• Experience with securing AI applications, systems and AI tooling would be highly regarded

Why Work at Karbon?

• Gain global experience across Australia, New Zealand, UK, and Canada
• Strong benefits package including:
• Flexible Time Off with an encouraged 4 weeks use per year
• Company paid medical for you and eligible spouse/partner and dependents
• Paid dental and vision and eligible spouse/partner and dependents
• 401(k) with company matching
• Flexible Spending Account
• Up to 8 weeks paid parental leave
• Work-from-home stipend
• Work with (and learn from) an experienced, high-performing team
• A collaborative, team-oriented culture that embraces diversity, invests in development and provides consistent feedback
• Be part of a fast-growing company that firmly believes in promoting high performers from within