Principal Security Engineer, Application Security

Founded in 2012 by 3 expert hackers with no investment capital, Trail of Bits is the premier place for security experts to boldly advance security and address technology’s newest and most challenging risks. It has helped secure some of the world's most targeted organizations and devices. Our combination of novel research with practical solutions reduces the security risks that our clients face from emerging technologies. Our work helps drive the security industry and the public understanding of the technology underlying our world.

Cybersecurity preparedness is a moving target. Companies like ours are the tip of the spear in the fight against attackers. Our research-based and custom-engineering approach ensures that our client’s capabilities are at the forefront of what’s available. For companies and technologies that live and die by their security, a proactive, tailored approach is required to keep one step ahead of attackers.

Democratizing security information is essential. As part of our business, we provide ongoing informational support through blogs, whitepapers, newsletters, meetups, and open-source tools. The more the community understands security, the more they’ll understand why a company like ours is so unique and valuable.

Trail of Bits seeks a Principal Security Engineer, Application Security to lead our Software Assurance practice's most complex and high-impact client engagements. As a technical leader, you will drive comprehensive security assessments, mentor team members, and shape the strategic direction of application security initiatives while maintaining deep hands-on involvement in critical security work.

You will serve as the technical authority on engagements involving sophisticated software systems, leading threat modeling exercises, conducting architecture reviews of complex distributed systems, and performing deep code analysis across modern and legacy codebases. Your expertise will span from high-level application security consulting to low-level vulnerability research, with the ability to navigate both domains seamlessly.

Beyond individual contributions, you'll provide technical leadership across the Application Security team, developing methodologies, building tooling that scales our impact, and representing Trail of Bits at the forefront of application security innovation. You'll work directly with C-level executives and engineering leaders at our most strategic clients, translating complex security findings into business impact and actionable roadmaps.

In addition to leading private sector engagements, you will have opportunities to collaborate with our Research & Engineering team to secure funding from government agencies for advanced security research, contribute to publications, and advance the state of the art in application security.

• AI Security Innovation: Apply and advance the use of AI in application security workflows, from leveraging LLMs for code analysis and vulnerability pattern recognition to assessing the security of AI-powered applications and ML systems themselves.
• Advanced Security Assessment: Conduct and oversee comprehensive security assessments across diverse technology stacks, including modern web applications, cloud-native architectures, mobile platforms, and system-level software, identifying critical vulnerabilities in authentication systems, API security, access controls, and platform security mechanisms.
• Threat Modeling & Architecture Review: Lead sophisticated threat modeling exercises and architecture security reviews for complex distributed systems, cloud environments, and emerging technology platforms, working directly with client architects and engineering leadership to identify systemic security weaknesses and design secure solutions.
• Code Review Excellence: Perform expert-level manual code reviews across multiple languages (JavaScript/TypeScript, Python, Go, Rust, C/C++, and others), identifying subtle security flaws, logic vulnerabilities, and implementation weaknesses that automated tools miss, while developing custom static analysis rules and detection techniques.
• Security Tooling & Automation: Design and build advanced security tools and frameworks that leverage SAST/DAST capabilities, integrate AI/ML for vulnerability detection and code analysis, and scale the team's assessment capabilities while pushing the boundaries of automated security testing.
• Technical Leadership: Lead complex, high-stakes application security engagements from scoping through delivery, providing technical direction to multidisciplinary teams and ensuring exceptional quality of security assessments and recommendations.
• Strategic Consulting: Serve as a trusted security advisor to client leadership, providing strategic guidance on security program maturity, secure development lifecycle integration, and long-term security roadmap development while delivering findings that drive meaningful organizational change.
• Team Development: Mentor senior and staff engineers, conduct technical training, develop assessment methodologies, and contribute to the growth and technical excellence of the Application Security practice.
• Thought Leadership: Represent Trail of Bits through conference presentations, blog posts, open-source contributions, and research publications that advance the application security field and strengthen our industry presence.

• Deep Application Security Expertise: 8+ years of experience in application security with demonstrated mastery across web, mobile, cloud, and system-level security domains, including extensive experience identifying and mitigating sophisticated vulnerabilities in enterprise and security-critical software.
• AI Security Assessment: Demonstrated interest and experience in leveraging AI for security workflows, whether through custom tooling, LLM-assisted code review, or automated vulnerability detection, with an understanding of both the opportunities and limitations of AI in security.
• Leadership Experience: Proven track record of leading complex security engagements, mentoring engineers, and driving projects to successful completion while maintaining deep technical involvement and high-quality deliverables.
• Advanced Assessment Capabilities: Extensive experience conducting comprehensive security assessments, including penetration testing, code review, architecture analysis, and threat modeling across diverse technology ecosystems with a track record of discovering critical vulnerabilities.
• Low-Level Security Proficiency: Strong foundation in system internals, memory corruption vulnerabilities, binary analysis, and reverse engineering with the ability to move fluidly between application-layer and system-level security concerns.
• Multi-Language Code Review Mastery: Expert-level proficiency in manual code review across JavaScript/TypeScript, Python, Go, and additional languages such as Rust, C/C++, Java/Kotlin, Swift/Objective-C, with deep understanding of language-specific security pitfalls and secure coding patterns.
• SAST/DAST Expertise: Hands-on experience with static and dynamic analysis tools, including customization, rule development, and integration into security assessment workflows, with ability to evaluate tool effectiveness and build custom solutions where needed.
• Threat Modeling Excellence: Proven ability to lead sophisticated threat modeling exercises for complex systems, applying frameworks like STRIDE, PASTA, or custom approaches while facilitating productive sessions with diverse stakeholder groups.
• Consulting Excellence: Strong client-facing skills with ability to communicate complex technical findings to both technical and executive audiences, build lasting client relationships, and translate security research into business value.

The base salary for this full-time position ranges from $200,000 to $235,000, excluding benefits and potential bonuses. Various factors influence our salary ranges, including the specific role, level of seniority, geographic location, and the nature of the employment contract. An individual's specific work location, unique skills, experience, and relevant educational background will determine the final offer within this range. The presented salary range encompasses the starting salaries for all U.S. locations. For a precise salary estimate tailored to your preferred location, please discuss it with your recruiter during the hiring process.

Trail of Bits, Inc. participates in E-Verify, the US federal electronic employment eligibility verification program. Learn more.

Trail of Bits is our people, not a place. With over 100+ employees working from every time zone across the globe, our remote-first culture is built on autonomy and trust (and backed by smile-worthy benefits) for full-time employees:

Empowered Living:

• Competitive salary complemented by performance-based bonuses.
• Fully company-paid insurance packages, including health, dental, vision, disability, and life.
• A solid 401(k) plan with a 5% match of your base salary.
• 20 days of paid vacation with flexibility for more, adhering to jurisdictional regulations.

Nurturing New Beginnings:

• 4 months of parental leave to cherish the arrival of new family members.
• Our team is global and remote-first. However, if you are interested in moving to NYC, we offer $10,000 in relocation assistance to support your transition.

Work & Life Enrichment:

• $1,000 Working-from-Home stipend to create a comfortable and productive home office.
• Annual $750 Learning & Development stipend for continuous personal and professional growth.
• Company-sponsored all-team celebrations, including travel and accommodation, to foster community and recognize achievements.

Community Impact:

• Philanthropic contribution matching up to $2,000 annually.

Trail of Bits is a community of innovators, risk-takers, and trailblazers who celebrate individual differences and recognize that unique perspectives make us stronger, smarter, and more successful. We actively seeks applicants who can bring a variety of experiences, perspectives, and backgrounds to the team. We provide equal employment opportunities to all employees and applicants for employment without regard to race, color, ancestry, national origin, gender, sex, pregnancy, pregnancy-related condition, sexual orientation, marital status, religion, age, disability, qualified handicap, gender identity, results of genetic testing, military status, veteran status, or any other characteristic protected by applicable law. Our team values diversity in experience and backgrounds—we do our best work when we create space for different voices and perspectives. Whatever unique experiences or skill sets you bring, we look forward to learning from each other.