Senior Application Security Engineer

About AlphaSense: 

The world’s most sophisticated companies rely on AlphaSense to remove uncertainty from decision-making. With market intelligence and search built on proven AI, AlphaSense delivers insights that matter from content you can trust. Our universe of public and private content includes equity research, company filings, event transcripts, expert calls, news, trade journals, and clients’ own research content.

The acquisition of Tegus by AlphaSense in 2024 advances our shared mission to empower professionals to make smarter decisions through AI-driven market intelligence. Together, AlphaSense and Tegus will accelerate growth, innovation, and content expansion, with complementary product and content capabilities that enable users to unearth even more comprehensive insights from thousands of content sets. Our platform is trusted by over 6,000 enterprise customers, including a majority of the S&P 500. Founded in 2011, AlphaSense is headquartered in New York City with more than 2,000 employees across the globe and offices in the U.S., U.K., Finland, India, Singapore, Canada, and Ireland. Come join us!

About the Role

AlphaSense is investing in the next generation of our Application Security capability, a continuous, AI-augmented, layered defense program built for a SaaS engineering organization where AI agents and human developers ship code side by side at high velocity. As a Senior AI Application Security Engineer, you will be a senior individual contributor at the center of that program.

You will own the code and pull-request enforcement layer that every change flows through, whether authored by a human or an AI coding agent. You will define and harden the deterministic security gates that make AI-authored code auditably equivalent to human-authored code, and partner directly with engineering teams shipping AI-native and agentic features, including MCP integrations, AI coding assistants, and AI capabilities embedded in our research workflows, so those features are designed, built, and operated securely from the start.

This is a hands-on, build-it role. Not an auditor. Not a dashboard owner. We are looking for a security engineer who writes code, reads pull requests fluently across multiple languages, has personally shipped or integrated with agentic and MCP systems, and treats Application Security as a partnership with engineering rather than a gate to enforce.

You will report to the Director of Application Security within Product Security, and partner closely with our broader Security, Engineering, and GRC teams. This is a foundational hire with a clear path to Staff / Tech Lead as the team grows.

What You'll Own

Continuous Code & PR Security (primary ownership)

• Operate and continuously tune the SAST, SCA, secrets-detection, and SBOM pipeline.
• Design, ship, and harden the deterministic security gates that make AI-authored PRs auditably equivalent to human-authored ones.
• Review human-authored and agent-authored PRs, catching the semantic violations static analysis misses. Co-submit AI-generated patch proposals so human effort scales as review-and-merge, not authorship.
• Drive findings to closure at the class level, fix a token-handling bug once at the platform layer and watch it propagate.

Agentic & AI Security

• Own how we secure AI-assisted development: Claude Code, Cursor, Copilot, MCP servers, agent-authored PRs, sub-agents handling rebases and CI fixes.
• Author and roll out our AI-Assisted Development Security policy: prompt injection defense, MCP scope and credential governance, agent credential inheritance, secret leakage to agent logs, agent-action audit attribution.
• Partner with harness engineering on agent scope declarations, agent identity registration, and the verification hooks that distinguish agent-initiated actions from human-initiated ones in the audit stream.
• Threat model new AI features , agent gateway, MCP connector architecture, AI workflows in the research platform , and ship the controls.

Threat Modeling & Developer Enablement

• Scale the threat modeling framework. Pilot with the highest-risk teams, then make it standard for new features and architectural changes.
• Partner with the product security team to build a security training program engineers actually use: secure coding patterns, authentication and authorization fundamentals, prompt injection awareness, how to engage Product Security on a design.
• Embed testable security acceptance criteria, agent scope declarations, and verification hooks into the PRD template so services declare their security posture at design time.

Layered Security

• Continuous Security Testing is a five-layer model: Code (yours), Infrastructure & Contract, Behavioral Intelligence, Adversarial Simulation, and Data Segmentation. You won't operate all five, but you'll integrate tightly with the teams that do and ensure your Layer 1 signal is consumable by Layers 2-5 and by GRC for compliance evidence.

Detection-to-Response Velocity

• Drive MTTR on critical findings under 24 hours, finding precision above 95%, and recurring named classes trending to zero quarter over quarter.
• Support DAST deployment, the API pen test program, and the customer-facing security posture dashboard.
• Coordinate penetration testing, bug bounty intake, and partner threat-intel feeds , translating external attack-pattern disclosures into detections within days, not quarters.
• Act as the primary technical responder for application-layer incidents, agentic behavior anomalies, or third-party integration compromises; leading the forensic investigation, architectural containment, and post-incident hardening requirements.

What You Bring

Required

• 6+ years engineering experience, with 4+ in a dedicated AI Application Security / Product Security role at a SaaS or cloud-native company. Not a consulting / audit background.
• Development background , hands-on and recent. You write code, not just review it. You can read PRs fluently in at least two of Python, TypeScript / JavaScript, Java / Kotlin, or Go, and you are comfortable in Terraform, Helm, and Kubernetes manifests.
• Hands-on experience with agentic AI and MCP development. You have personally built with, integrated, or operated agentic tooling. Examples that qualify: built an MCP server; integrated Claude Code, Cursor, or Copilot into a real engineering workflow under governance; worked with autonomous coding agents or harnesses; built or hardened an agent gateway; shipped guardrails for prompt injection, jailbreak resistance, or output sanitization in production.
• Production operation of a SAST / SCA pipeline at scale , Snyk, Semgrep, GitHub Advanced Security, Checkmarx, Veracode, or equivalent , including rule authoring, false-positive tuning, and CI/CD integration.
• Demonstrated ownership of a threat modeling or developer security training program , founder or substantial contributor. You can describe the artifacts, the integration into the design process, and the metrics that proved it worked.
• Layered security thinking. Defense-in-depth across code, contract, behavior, simulation, and data. You can speak to how findings at one layer propagate to others, and how to design for compounding control rather than redundant control.
• Strong written communication. You author policy, guidance, runbooks, and PR comments that engineers read and act on.

Nice to Have

• Open-source contributions to a SAST / SCA tool, a security linter, an MCP server or framework, an agent harness, or a threat modeling tool.
• Experience shipping a deterministic compliance gate that an external auditor accepted as equivalent to human review.
• API security and DAST experience (Burp Suite, ZAP, Akto) and modern container / Kubernetes security (admission controllers, runtime protection, supply chain attestation).
• AWS security depth (IAM, KMS, GuardDuty, Security Hub, Organizations) and exposure to AI/ML production environments.
• Security partner on a customer-facing posture dashboard or DDQ response process, ideally in a regulated industry.
• Public writing or speaking on developer security, AI/agent security, or AppSec automation.
• Pre-IPO experience or familiarity with SOC 2 Type II, ISO 27001:2022, ISO 42001, SOX, GDPR.
• Certifications: OSWE, OSCP, CSSLP, AWS Security Specialty, or CISSP.

Why Join Us

• Foundational hire, not a backfill. You'll help define Application Security at AlphaSense at the moment AI-native development is being adopted across engineering.
• Genuinely novel scope. The intersection of agentic development, continuous compliance, and AI-native security , at production scale, not in a research lab.
• Build, ship, own. Real surfaces queued and waiting for an owner, not proposals to write.
• Senior IC role on a senior IC team. Small, growing AppSec function inside Product Security, with strong cross-functional partnerships. Reports to the Director of Application Security, with a clear path to Staff / Tech Lead.
• Remote-first, high autonomy, competitive compensation, performance bonus, equity, and benefits.

AlphaSense is an equal-opportunity employer. We are committed to a work environment that supports, inspires, and respects all individuals. All employees share in the responsibility for fulfilling AlphaSense’s commitment to equal employment opportunity. AlphaSense does not discriminate against any employee or applicant on the basis of race, color, sex (including pregnancy), national origin, age, religion, marital status, sexual orientation, gender identity, gender expression, military or veteran status, disability, or any other non-merit factor. This policy applies to every aspect of employment at AlphaSense, including recruitment, hiring, training, advancement, and termination.

In addition, it is the policy of AlphaSense to provide reasonable accommodation to qualified employees who have protected disabilities to the extent required by applicable laws, regulations, and ordinances where a particular employee works.

Recruiting Scams and Fraud

We at AlphaSense have been made aware of fraudulent job postings and individuals impersonating AlphaSense recruiters. These scams may involve fake job offers, requests for sensitive personal information, or demands for payment. Please note:

• AlphaSense never asks candidates to pay for job applications, equipment, or training.
• All official communications will come from an @alpha-sense.com email address.
• If you’re unsure about a job posting or recruiter, verify it on our Careers page.

If you believe you’ve been targeted by a scam or have any doubts regarding the authenticity of any job listing purportedly from or on behalf of AlphaSense please contact us. Your security and trust matter to us.