Application Security Engineer

WHY WE’RE LOOKING FOR YOU Retool handles our customers’ most sensitive data and provides a platform where they write and execute arbitrary code. The security surface that comes with that is large, nuanced, and genuinely interesting. As the platform grows and our customers’ trust in it deepens, the scope and ambition of our security program have grown with it. We’re looking for an Application Security Engineer who combines deep security fundamentals with real engineering execution. This is not a role for someone who audits from a distance or advises without getting their hands dirty. You’ll be in the code, spotting systemic patterns, and building the tooling and solutions that address them at scale. You’ll recognize when a one-off fix isn’t enough, synthesize what you’re seeing in the codebase, and work with engineering teams to make secure outcomes the default rather than the exception. You’ll need to understand the product deeply to secure it well: what customers build on Retool, where code executes, and how data flows. The security problems worth solving here live at the intersection of platform capability and customer trust, and your first team is the business, not just security. We’re also actively thinking about what AI-accelerated development means for application security, from how to use AI to enhance and scale our own security work to managing the risk that comes with developers shipping more code, faster, with different review patterns than ever before. We’re already running experiments in this space, including using AI to find and fix vulnerabilities at scale, automating dependency management, and rethinking what security teams can actually accomplish with the right tooling and ambition. If you want to work out what AI genuinely changes about security engineering practice - in real conditions, not in theory - this role is for you. IN THIS ROLE, YOU WILL: Identify systemic security gaps in our codebase and engineering workflows, and work with engineering teams to design and ship durable solutions; you’ll drive solutions, not just surface problems Build security tooling, automation, and code-level controls that address classes of vulnerabilities, including custom linters, static analysis rules, and automated checks, shifting the cost of catching issues left rather than handling them one at a time or after they’ve reached production Conduct in-depth code reviews and security design reviews for significant product initiatives, with the technical depth to engage meaningfully with architectural tradeoffs rather than just flag issues for others to resolve Drive threat modeling and security assessments for new features, and translate security requirements into practical engineering guidance that developers can actually act on Contribute to the team’s evolving approach to security as AI-assisted development scales internally, including how faster and higher-volume code production changes how we find, prioritize, and fix risks Triage, track, and drive remediation of vulnerabilities with product engineering teams, and contribute to our penetration testing and bug bounty programs THE SKILLSET YOU’LL BRING: 5+ years of hands-on experience in application security and security engineering: you’ve built things, not only assessed them, and your background is not mainly consulting, audit, or compliance work The ability to operate independently with good judgment in a fast-moving environment: you prioritize well by understanding the needs of the business and our shared objectives, make calls with incomplete information, and know when to move fast versus when to slow down and get it right, or escalate and ask for help Communication that earns trust: you can make security legible to engineers without being preachy, and you measure your impact by how well you’ve supported the business, not by how many issues you catalogued A track record of shipping security tooling or automation that improved things for more than one tea ... (truncated, view full listing at source)