Senior Application Security Engineer - RegScale

RegScale is a continuous controls monitoring (CCM) platform that helps organizations automate and scale their security, risk, and compliance programs. We are at an inflection point, transitioning from startup execution to a disciplined, enterprise-ready engineering organization, and we are building the team that will take us there. As a platform handling sensitive security and regulatory data for enterprise and government customers, security is not a compliance checkbox at RegScale . It is a core engineering discipline woven into how we build software.

The Role

This is a high autonomy role for a seasoned security engineer who thrives at the center of a complex engineering organization. You are the primary application security practitioner at RegScale . You identify where the risk is, build the strategy to address it, and drive initiatives from concept to measurable improvement without a team beneath you and without direct authority over the engineers you depend on to execute.

Your reach spans all of engineering including Core Engineering, Platform and AI, Compliance as Code, Quality Engineering, SRE, Infrastructure, and the external security team. You succeed by making engineers more security conscious and embedding security into how software is designed, built, and deployed rather than finding vulnerabilities after the fact.

RegScale serves enterprises and government agencies under frameworks like FedRAMP, NIST, and CMMC. This role reports into SRE and Infrastructure and requires deep technical security expertise combined with the organizational influence and end to end ownership mindset needed to make security a shared engineering value.

Key Responsibilities

• Own the application security program end to end, identifying risks, setting priorities, building strategy, aligning stakeholders, driving implementation across engineering teams, and measuring outcomes.
• Conduct threat modeling and security design reviews early in the development process, embedding security thinking into architecture and feature design before code is written.
• Partner with developers across all engineering teams to shift security left, coaching on secure coding practices, reviewing code for vulnerabilities, and building security awareness as a shared engineering capability rather than a specialized handoff.
• Integrate security tooling and automated security checks into CI/CD pipelines including static analysis, dependency scanning, and secrets detection, ensuring actionable security signals.
• Own vulnerability management across the platform, triaging findings from internal testing, external assessments, and tooling, prioritizing remediation based on risk, and driving resolution to completion.
• Lead and coordinate penetration testing and security assessments, working with internal and external resources to scope, execute, and translate findings into engineering ac