Senior Security Engineer - Application & Product Security

Employment Type: Full-time

Position Overview

CaptivateIQ is seeking a Senior Security Engineer to own the Application & Product Security strategy. This role is critical for embedding security into every phase of product development as CaptivateIQ scales and expands its services. The ideal candidate will blend offensive and defensive expertise with strategic influence to shape a scalable, modern AppSec program.

About CaptivateIQ

CaptivateIQ is the leading Sales Performance Management solution, recognized by Forrester and G2, and trusted by customers including Affirm, Gong, and Figma. Our solutions for Sales Planning and Incentives help revenue teams automate processes, hit revenue targets, and adapt with business change, ultimately driving efficient growth. With backing from top investors like Sequoia and Accel, CaptivateIQ is on a mission to improve the return on incentives and sales planning for every company. We are proud to be recognized as a best place to work by Glassdoor and Comparably.

Responsibilities

• Threat Modeling & Architecture Reviews:
  • Mature and scale a modern threat modeling program across products and services.
  • Enable secure by design architectures in collaboration with Engineering teams.
• Offensive Security Testing:
  • Conduct penetration tests (white-box and black-box) for web applications and APIs.
  • Perform dynamic (DAST), static (SAST), and software composition (SCA) analysis.
  • Simulate adversary attack scenarios to validate controls and identify gaps.
• Secure SDLC Integration:
  • Embed security into every stage of development.
  • Implement automated security tooling in CI/CD pipelines.
• Vulnerability Management:
  • Triage and prioritize application-layer vulnerabilities.
  • Guide engineering teams through remediation.
• Developer Enablement:
  • Deliver secure development and coding training.
  • Create resources to reduce recurring vulnerabilities.
• Bug Bounty Management:
  • Oversee the Bug Bounty program.
  • Validate findings and ensure timely resolution.
• Incident Response Leadership:
  • Lead investigations for application-layer security incidents.
  • Conduct post-incident analysis.
• Compliance Enablement:
  • Support audits, technical evidence collection, and control design for SOC 2, ISO 27001, and privacy-by-design requirements.
• Customer Trust:
  • Contribute to customer security assessments, penetration test reports, and security documentation.

Requirements

• 7+ years of experience in a security engineer or related role, including 4+ years specializing in web application, API, and product security.
• Deep expertise securing multi-tenant SaaS platforms and features.
• Strong communication and ability to influence software engineers and product managers.
• Advanced experience conducting penetration tests, code reviews, and vulnerability assessments.
• Expert knowledge of OWASP Top 10, web application and API security, and common vulnerability classes with practical remediation strategies.
• Hands-on experience with AppSec tooling (SAST, DAST, SCA) integrated into CI/CD pipelines.
• Strong programming and scripting skills (Python preferred) and ability to influence secure coding practices.
• Proven ability to lead incident response for application-layer security events.
• Familiarity with compliance frameworks (SOC 2, ISO 27001) and secure SDLC practices.
• Knowledge of privacy-by-design principles and data security in SaaS environments.
• Awareness of emerging AI/ML security risks and related considerations.