Staff Application Security Engineer

The Nuclear Company is the fastest growing startup in the nuclear and energy space creating a never before seen fleet-scale approach to building nuclear reactors. Through its design-once, build-many approach and coalition building across communities, regulators, and financial stakeholders, The Nuclear Company is committed to delivering safe and reliable electricity at the lowest cost, while catalyzing the nuclear industry toward rapid development in America and globally.

About the role

The Nuclear Company is searching for an Application Security Engineer to help secure the software, data systems, and developer workflows that power our Nuclear Operating System, internal platforms, and mission-critical applications. This is a high-ownership role for a builder who is equally comfortable reviewing application architecture, threat modeling an API, improving GitHub security controls, and partnering directly with engineers to ship secure software quickly. 

You will work across product engineering, platform engineering, data science, infrastructure, and operations to embed security into the way we design, build, test, and deploy software. You will help define secure development standards, review high-impact product designs, harden CI/CD workflows, and guide teams through vulnerability remediation in a practical, risk-based way. 

This role reports to the Senior Manager for Application and Product Security.

Responsibilities

Application & Product Security 

• Perform security reviews and threat models for NOS modules, internal tools, APIs, data workflows, AI-enabled features, and cloud-connected applications.  
• Partner with engineering teams to identify and remediate risks across authentication, authorization, tenant isolation, input validation, secrets handling, encryption, logging, and data access.  
• Review application designs and code changes for security issues before they become production risk.  
• Define reusable security patterns for web applications, APIs, mobile workflows, internal platforms, and data-heavy systems.  
• Help establish secure-by-default approaches for applications that support regulated, high-consequence infrastructure.  

Secure SDLC & Developer Enablement 

• Build and improve DevSecOps practices across the GitHub-based software development lifecycle, including code scanning, dependency review, secret scanning, branch protections, CI/CD hardening, and secure developer workflows. 
• Partner with engineering teams to create paved roads: secure templates, checklists, automation, documentation, and lightweight review processes that help teams move faster with confidence.  
• Triage and prioritize application security findings from SAST, SCA, secrets scanning, penetration tests, code reviews, and internal assessments.  
• Develop pragmatic vulnerability management workflows, remediation guidance, and engineering-facing metrics.  
• Support secure coding education through design reviews, office hours, documentation, and hands-on partnership with developers.  

Platform, Cloud & Data Security 

• Collaborate with cloud and platform engineers to secure AWS workloads, infrastructure-as-code, service integrations, data pipelines, and deployment workflows.  
• Review integrations involving Palantir Foundry, partner APIs, internal data platforms, and AI-assisted engineering workflows.  
• Help secure sensitive data flows across application, platform, and operational environments.  
• Partner with infrastructure and developer teams to ensure application events, audit logs, and security signals are captured in ways that support investigation and response.  
• Navigate the security expectations of a regulated nuclear energy environment, including relevant cybersecurity frameworks and critical infrastructure considerations.  

Cross-Functional Partnership 

• Serve as a trusted security partner to software engineers, product managers, data engineers, infrastructure teams, and business stakeholders.  
• Communicate risk clearly and practically, balancing security, delivery speed, product usability, and operational impact.  
• Contribute to the application and product security roadmap as the company scales from early-stage systems to fleet-scale operations.  
• Help build a culture of ownership, velocity, and technical rigor across engineering and cybersecurity.  

Experience

• 4+ years of experience in application security, product security, software security, or software engineering with a strong security focus.  
• Hands-on experience reviewing, building, or securing modern software systems, including web applications, APIs, distributed systems, or cloud-native services.  
• Strong understanding of common application security risks, including authentication, authorization, access control, injection, insecure deserialization, SSRF, secrets exposure, dependency and supply chain risk, and insecure API design.  
• Experience with secure SDLC tooling and workflows such as GitHub Advanced Security, CodeQL, Dependabot, SAST, SCA, secret scanning, CI/CD security, or equivalent platforms.  
• Ability to read and reason about code in at least one modern programming language such as Python, TypeScript, Go, Java, C#, or C++.  
• Familiarity with AWS security concepts, including IAM, logging, encryption, networking, secrets management, and infrastructure-as-code.  
• Strong communication skills and the ability to work directly with engineers to solve security problems without creating unnecessary friction. 
• Have a strong grasp of offensive security to anticipate risks from an adversary’s perspective, not just check compliance boxes.  

Preferred Qualifications 

• Experience securing software in regulated, industrial, energy, national security, aerospace, medical, or other mission-critical environments.
• Familiarity with AI-assisted development tools, LLM-enabled applications, prompt-injection risks, model/tool integrations, or AI software supply chain concerns.  
• Experience with vulnerability management, penetration testing, experience with DAST tools, or incident response.  
• Familiarity with frameworks or standards such as OWASP ASVS, OWASP Top 10, OWASP API Security Top 10, NIST CSF, NIST 800-53, SOC 2, IEC 62443, or NERC CIP.  
• Security certifications such as AWS Certified Security – Specialty or OSWE 
• Genuine interest in nuclear energy, critical infrastructure, hard-tech, and applying software security to physical systems.  

Benefits

• Competitive compensation packages
• 401k with company match
• Medical, dental, vision plans
• Generous vacation policy, plus holidays

Estimated Starting Salary Range
The estimated starting salary range for this role is $150,000 - $173,000 annually less applicable withholdings and deductions, paid on a bi-weekly basis. The actual salary offered may vary based on relevant factors as determined in the Company’s discretion, which may include experience, qualifications, tenure, skill set, availability of qualified candidates, geographic location, certifications held, and other criteria deemed pertinent to the particular role. 

EEO Statement
The Nuclear Company is an equal opportunity employer committed to fostering an environment of inclusion in the workplace. We provide equal employment opportunities to all qualified applicants and employees without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, veteran status, or any other protected characteristic. We prohibit discrimination in all aspects of employment, including hiring, promotion, demotion, transfer, compensation, and termination.