Role Summary

You will be a hands-on technical engineer who embeds security into how software is designed, built, and operated. You’ll create paved-road patterns, wire security controls into CI/CD, and drive remediation through a risk-based lens. Success in this role means making the secure way the easy way, reducing time-to-fix, and measurably lowering product risk without slowing delivery.

What You’ll Do (Core Responsibilities)

Build & Automate Secure-by-Default

Design and maintain paved road templates (reference repos, IaC, CI/CD workflows) that ship with SAST, SCA, secrets scanning, IaC/container scanning, SBOM generation, artifact signing/attestation, and policy gates.
Integrate and tune AppSec tools in developer workflows (IDE hints, PR annotations, pipeline gates); author custom rules where off-the-shelf signals are noisy.
Engineer data flows that aggregate/dedupe/correlate findings into a single vulnerability backlog with risk scoring (severity × exploitability × exposure × asset criticality; KEV overrides).

Secure SDLC & Architecture

Lead threat modeling and design reviews for high-risk features (authn/z boundaries, multi-tenant isolation, API abuse, data protection).
Write and evolve secure coding standards and language-specific guardrails (PHP/.NET/Node) aligned to Industry best practice..
Partner with platform teams on supply-chain security (dependency policies, third-party library allow/deny lists).

Validate & Defend

Stand up DAST/API testing (REST/GraphQL), targeted fuzzing for parsers/critical endpoints, and pre-prod abuse testing (authz under load, rate limiting, broken object/property level auth).
Coordinate external pen tests and triage bug bounty submissions; drive root-cause fixes and pattern-level remediations.
Improve runtime protection with WAF/API gateways, and egress controls.

Vulnerability Management & Risk

Own triage for critical services; set SLAs by severity and exploitability; escalate KEV/autowormable issues as emergency response.
Create dashboards that separate leading (coverage, scan on PRs, time-to-triage) from lagging (MTTR, open > SLA) and business metrics.

Minimum Qualifications

5+ years in AppSec/Software Security/DevSecOps (or strong software engineering background plus 2+ years AppSec).
Proficiency in at least one major language (e.g., PHP, C#/.NET, JavaScript/TypeScript, Python, or Go) and ability to read others.
Hands-on with modern AppSec tools and patterns: SAST/SCA/DAST, secrets scanning, SBOM & artifact signing, container/IaC scanning, API testing, WAF/API gateway policy.
CI/CD integration experience (GitHub Actions/GitLab/Jenkins/Azure DevOps/Harness); policy-as-code mindset.
Practical understanding of cloud-native architectures (AWS/Azure/GCP), Kubernetes fundamentals, and common identity patterns (OIDC/OAuth2, session mgmt).
Demonstrated ability to turn noisy scanner output into actionable, prioritized remediation work.

Preferred Qualifications

Operating knowledge of NIST SSDF, OWASP SAMM/ASVS, and SLSA; experience aligning controls to PCI/SOC2/ISO (as relevant).
Building/maintaining golden path templates; writing custom rules for SAST/SCA or Semgrep/CodeQL queries.
Exposure to bug bounty ops and pen test orchestration.
Relevant certifications (CSSLP, OSWE, GWAPT, GCSA) are a plus but not required.

Behavioral Competencies

Enablement first: you remove friction and build guardrails developers want to use.
Systems thinker: you fix root causes and codify them into templates and rules.
Data-driven: you choose battles via risk signals (KEV, exploitability, exposure).
Clear communicator: you translate risk into engineering work and business impact.

#Auris

Candidates should be comfortable with an on-site presence to support collaboration, team leadership, and cross-functional partnership.

Why Join Us:

At Acrisure, we’re building more than a business, we’re building a community where people can grow, thrive, and make an impact. Our benefits are designed to support every dimension of your life, from your health and finances to your family and future.

Making a lasting impact on the communities it serves, Acrisure has pledged more than $22 million through its partnerships with Corewell Health Helen DeVos Children's Hospital in Grand Rapids, Michigan, UPMC Children's Hospital in Pittsburgh, Pennsylvania and Blythedale Children's Hospital in Valhalla, New York.

Employee Benefits

We also offer our employees a comprehensive suite of benefits and perks, including:

Physical Wellness: Comprehensive medical insurance, dental insurance, and vision insurance; life and disability insurance; fertility benefits; wellness resources; and paid sick time.
Mental Wellness: Generous paid time off and holidays; Employee Assistance Program (EAP); and a complimentary Calm app subscription.
Financial Wellness: Immediate vesting in a 401(k) plan; Health Savings Account (HSA) and Flexible Spending Account (FSA) options; commuter benefits; and employee discount programs.
Family Care: Paid maternity leave and paid paternity leave (including for adoptive parents); legal plan options; and pet insurance coverage.
… and so much more!

This list is not exhaustive of all available benefits. Eligibility and waiting periods may apply to certain offerings. Benefits may vary based on subsidiary entity and geographic location.

Acrisure is an Equal Opportunity Employer. We consider qualified applicants without regard to race, color, religion, sex, national origin, disability, or protected veteran status. Applicants may request reasonable accommodation by contacting leaves@acrisure.com.

California Residents: Learn more about our privacy practices for applicants by visiting the Acrisure California Applicant Privacy Policy.

Recruitment Fraud: Please visit here to learn more about our Recruitment Fraud Notice.

Welcome, your new opportunity awaits you.

Senior Application Security Engineer