remote

Principal Security Engineer - WebPT

Security Engineer

Lead security for a cloud‑native SaaS platform, defining architectural goals, assessing AI/ML risks, and translating requirements into actionable engineering guidance to protect applications while enabling rapid product delivery.

About the role

Who We Are Looking For

We are looking for a hands-on security leader and subject matter expert in application security and AI security, responsible for defining the architectural security goals and implementation strategy for WebPT ’s cloud-native SaaS environments. This engineer serves as the security team’s technical anchor—performing deep dives into complex application and system designs, evaluating AI/ML platform risks, and translating security requirements into practical engineering guidance that enables the business rather than slowing it down.

Working closely with engineering leadership, product managers, and third-party development partners, this leader This person will be the voice of security in architecture reviews, design sessions, and vendor evaluations, ensuring that security and compliance are built in from the start.

What You’ll Be Doing As A Part of Our Team

Application Security Architecture

Security Design Reviews: Lead application security architecture reviews for WebPT ’s SaaS platforms, including new feature designs, third-party integrations, and major platform changes submitted through the change management process.
Threat Modeling: Own and facilitate threat modeling sessions with product and engineering stakeholders, translating findings into actionable developer guidance, architectural guardrails, and risk-accepted documentation.
Secure SDLC: Help define and evolve WebPT ’s Secure Software Development Lifecycle (SDLC), embedding security checkpoints into GitLab CI/CD pipelines and development workflows without creating unnecessary friction.
SAST/DAST Ownership: Oversee application security testing tooling, triage findings by risk, and drive remediation with engineering teams—balancing thoroughness with the pace of a lean environment.
API & Auth Standards: Serve as the internal authority on API security, secrets management, authentication and authorization patterns (OAuth 2.0, SAML, OIDC), and input validation across microservices and legacy systems.

AI Security & Governance

AI Security: Serve as the primary security resource for AI/ML integration decisions, including agentic AI workflows, LLM-based features, ambient listening, and third-party AI platform technologies.
AI Governance Framework: Define and maintain WebPT ’s AI security standards and AI vendor risk assessment criteria, including evaluation of AI/ML platforms for HIPAA BAA compliance, data residency, prompt injection risk, and model confidentiality.
AI Security Controls: Partner with engineering and product to design security guardrails for AI feature development: input/output validation, audit logging, human-in-the-loop controls, and AI supply chain integrity.
Shadow AI Discovery: Drive AI Shadow IT discovery and governance initiatives, analyzing telemetry from Wiz, CrowdStrike,

About the role

Who We Are Looking For

What You’ll Be Doing As A Part of Our Team

Application Security Architecture

Security Design Reviews: Lead application security architecture reviews for WebPT ’s SaaS platforms, including new feature designs, third-party integrations, and major platform changes submitted through the change management process.
Threat Modeling: Own and facilitate threat modeling sessions with product and engineering stakeholders, translating findings into actionable developer guidance, architectural guardrails, and risk-accepted documentation.
Secure SDLC: Help define and evolve WebPT ’s Secure Software Development Lifecycle (SDLC), embedding security checkpoints into GitLab CI/CD pipelines and development workflows without creating unnecessary friction.
SAST/DAST Ownership: Oversee application security testing tooling, triage findings by risk, and drive remediation with engineering teams—balancing thoroughness with the pace of a lean environment.
API & Auth Standards: Serve as the internal authority on API security, secrets management, authentication and authorization patterns (OAuth 2.0, SAML, OIDC), and input validation across microservices and legacy systems.

AI Security & Governance

AI Security: Serve as the primary security resource for AI/ML integration decisions, including agentic AI workflows, LLM-based features, ambient listening, and third-party AI platform technologies.
AI Governance Framework: Define and maintain WebPT ’s AI security standards and AI vendor risk assessment criteria, including evaluation of AI/ML platforms for HIPAA BAA compliance, data residency, prompt injection risk, and model confidentiality.
AI Security Controls: Partner with engineering and product to design security guardrails for AI feature development: input/output validation, audit logging, human-in-the-loop controls, and AI supply chain integrity.
Shadow AI Discovery: Drive AI Shadow IT discovery and governance initiatives, analyzing telemetry from Wiz, CrowdStrike,

Principal Security Engineer - WebPT

About the role

Principal Security Engineer - WebPT

About the role

Skills