Security Engineer (App Sec and Cloud Infra)

Thumbtack helps millions of people confidently care for their homes.

Thumbtack is the one app you need to take care of and improve your home — from personalized guidance to AI tools and a best-in-class hiring experience. Every day in every county of the U.S., people turn to Thumbtack to complete urgent repairs, seasonal maintenance and bigger improvements. We help homeowners know which projects to do, when to do them and who to hire from our growing community of 300,000 local service businesses. If making an impact inspires you, join us. Imagine what we’ll build together.

About the Cybersecurity team

The Security Engineering team at Thumbtack is focused on enabling innovation at scale by making the secure path the easiest path. We believe strong security is not a blocker to velocity, but a force multiplier when it is designed into systems, platforms, and developer workflows from the start.

We partner closely with Product, Engineering, Platform, and Data teams to shape system design, guide architectural decisions, and evolve Thumbtack’s security posture as the company scales. Through collaboration, automation, and thoughtful tradeoffs, we help ensure Thumbtack can ship fast, innovate boldly, and maintain customer trust.

Challenge

As Thumbtack scales and increasingly incorporates AI-powered features into our products and internal systems, security must evolve without slowing innovation. The number of services, deployment patterns, and data flows continues to grow, and traditional approaches that rely heavily on manual reviews or after-the-fact controls do not scale to meet this need.

Instead, the challenge is to design security into the system itself. This means building secure defaults, paved paths, and reusable building blocks that product and engineering teams can adopt with minimal friction. By embedding security directly into architectures, tooling, and infrastructure, we reduce cognitive load on engineers and enable teams to move quickly and confidently while meaningfully lowering risk.

What you'll do 

• Own and deliver application security work within defined projects or domains. Contribute to cross-functional security initiatives, executing clearly scoped pieces of larger efforts.
• Identify, prioritize, and help remediate application security risks in partnership with engineering teams.
• Apply secure-by-default patterns and approved architectures when designing or reviewing systems.
• Support cloud infrastructure security by integrating security controls into CI/CD pipelines, IAM, networking, and runtime environments.
• Partner with product and engineering teams to assess risk and recommend practical, risk-informed security improvements. Participate in application security design reviews and threat modeling for new and existing systems.
• Write code, reviews, and documentation to address vulnerabilities and reduce recurring classes of issues.
• Participate in security incident response and contribute to post-incident analysis and remediation.

In order to be successful, you must bring

• 4+ years of experience in software engineering, application security, or cloud infrastructure security. 
• Practical experience with application security techniques such as threat modeling, secure design patterns, authentication and authorization, secrets management, and vulnerability remediation. Strong understanding of secure coding practices and common application security risks (e.g., OWASP Top 10).
• Experience securing cloud-native systems in AWS and/or GCP.
• Ability to assess security risks and break down complex problems, reason about tradeoffs, make sound recommendations, and deliver practical, impactful solutions with guidance when needed.
• Strong sense of ownership over assigned work, with the ability to execute independently and follow through.
• Clear written and verbal communication skills, including the ability to explain security issues to engineers with varying levels of security expertise.
• A growth mindset and interest in learning from more senior engineers and expanding depth in both application and cloud infrastructure security over time.

Expected salary ranges

• For candidates living in San Francisco / Bay Area, San Jose, New York City, or Seattle metros, the expected salary range for the role is currently $177,700.00 - $229,900.00. 
• For candidates living in Austin, TX or Washington DC metros or in California, Massachusetts, New Jersey, or Washington states, the expected salary range for the role is currently $159,800.00 - $206,800.00. 
• For candidates living in all other US locations, the expected salary range for this role is currently $151,300.00 - $195,800.00.

Actual offered salaries will vary and will be based on various factors, such as calibrated job level, qualifications, skills, competencies, and proficiency for the role.

#LI-Remote

Thumbtack embraces diversity. We are proud to be an equal opportunity workplace and do not discriminate on the basis of sex, race, color, age, pregnancy, sexual orientation, gender identity or expression, religion, national origin, ancestry, citizenship, marital status, military or veteran status, genetic information, disability status, or any other characteristic protected by federal, provincial, state, or local law. We also will consider for employment qualified applicants with arrest and conviction records, consistent with applicable law. 

Thumbtack is committed to working with and providing reasonable accommodation to individuals with disabilities. If you would like to request a reasonable accommodation for a medical condition or disability during any part of the application process, please contact: recruitingops@thumbtack.com. 

If you are a California resident, please review information regarding your rights under California privacy laws contained in Thumbtack’s Privacy policy available at https://www.thumbtack.com/privacy/.

We put as much craftsmanship into candidate safety as we do into the hiring experience itself. While scammers may try to impersonate our team, we’ll never ask you for money, banking info, or SSNs during hiring. Check out our blueprint on how to spot the fakes.