Application Security Engineer

About AKASA At AKASA, our mission is to build the future of healthcare with AI. As the leading provider of generative AI solutions for the healthcare revenue cycle, we help health systems comprehensively capture and communicate the full patient clinical journey. By empowering health systems to streamline their operations, they can focus on what matters most - delivering quality patient care. We have raised over $205M in funding from investors such as Andreessen Horowitz, BOND, and Costanoa Ventures. This is the most exciting time to join AKASA. Revenue bookings for our new AI-native product suite have grown over 20x since launching in 2024. In this time, we have broken our record for the largest deal in company history three times consecutively. This growth is driven by the massive improvement we are generating for our customers across clinical quality and documentation accuracy, both top priority areas for health system leaders. Our deployments have been recognized nationally as "one of the most comprehensive real-world uses of GenAI in healthcare finance to date" (link). Our customer base represents more than $120B+ in net patient revenue and includes the most innovative health systems in the country, like Cleveland Clinic, Duke, Stanford, and Johns Hopkins. Some of our recent recognitions include being named one of America's Top Startup Employers 2026 by Forbes, #1 most promising healthcare RCM startup of 2025 by Black Book Market Research, and one of the fastest-growing GenAI startups to watch by AIM Research. Our CEO was ranked among the “Top 50 Healthcare Technology CEOs” by the Healthcare Technology Report, and we have been certified as a “Great Place to Work” for the past 6 years in a row. We’re building on this momentum to redefine what’s possible in healthcare. We’re looking for exceptional people to help us accelerate that reality. The opportunity We're looking for a seasoned Application Security Engineer who brings the credibility of a software engineering background and the mindset of a security practitioner. You'll be embedded with our engineering teams, helping us build secure systems from the ground up — not bolted on after the fact. You'll own our application security program, work closely with developers, and be a key voice in shaping how we think about risk across our product and infrastructure. What you’ll do Own and evolve our application security program, including threat modeling, secure code review, SAST/DAST tooling, and penetration testing coordination. Partner closely with engineering squads throughout the SDLC to identify and remediate vulnerabilities early — acting as a security champion, not a gatekeeper. Lead security design reviews for new features and architecture changes, ensuring security requirements are well-understood and actionable. Develop and maintain a vulnerability management program, prioritizing findings based on risk and driving remediation to closure. Build and deliver security training and awareness programs tailored to developers — leveraging your engineering background to make guidance practical and relevant. Evaluate and implement security tooling across the CI/CD pipeline (SAST, SCA, secret scanning, container scanning, etc.). Support third-party penetration tests and bug bounty programs, including triage, validation, and remediation tracking. Contribute to compliance efforts related to HIPAA, SOC 2, and other relevant frameworks, particularly as they relate to application and data security. Monitor the threat landscape and proactively surface emerging risks relevant to our technology stack and industry. Develop applications that run securely in cloud and containerized environments. Must-haves 10+ years of experience in software engineering, application security, or a combination of both. A strong software engineering foundation — you've written production code and understand how applications are built, not just how they break. Meaningful experience in application security, whether that came from transitioning out of a development role or through dedicated AppSec positions. Hands-on experience with common vulnerability classes (OWASP Top 10, injection attacks, authentication flaws, insecure deserialization, etc.) and how to fix them. Experience conducting or coordinating threat modeling, security architecture reviews, and secure code reviews. Proficiency in one or more modern programming languages (Python, Go, Java, TypeScript, etc.) — enough to read, understand, and critique production code. Familiarity with cloud security (AWS, GCP, or Azure) and container/Kubernetes security practices. Experience integrating security tooling into CI/CD pipelines (GitHub Actions, Jenkins, etc.). Working knowledge of authentication and authorization standards (OAuth 2.0, OIDC, SAML, RBAC). Familiarity with API security, including REST and GraphQL attack surfaces. You can communicate complex security concepts clearly to engineers and non-technical stakeholders alike. You default to collaboration over confrontation — you know that security only works when developers are on your side. You're comfortable with ambiguity and can prioritize effectively in a fast-moving environment. You care about the mission — the systems you're protecting store and transmit sensitive patient data, and that responsibility motivates you. Nice-to-haves Experience in a healthcare or health-tech environment. Familiarity with HIPAA Security Rule requirements and how they translate to engineering controls. Exposure to compliance frameworks such as SOC 2 Type II, HITRUST, or FedRAMP. Experience building or maturing a security program at a startup or high-growth company. Relevant certifications (OSCP, CSSLP, GWEB, CEH, or similar) — valued but not required. Why you’ll love working here Close collaboration with founders and cross-functional teams; real ownership and visibility. Dynamic hybrid working model. This flexible approach gives team members the best of both worlds: plenty of focus time along with in-person collaboration that helps foster trust, innovation, and a strong team culture. Candidates for this role must be based in the San Francisco Bay Area and come to the office located in South San Francisco, 2 days a week - Wednesday & Thursday . What We Offer Flexible paid time off (PTO) Expansive coverage for health, dental, and vision Employer contribution to Health Savings Accounts (HSA) Generous parental leave policy Full employee coverage for life insurance Home office stipend Cell phone/internet reimbursement Company-paid holidays 401(K) plan Compensation Based on geo, market data, and other factors, the salary range for this position is $205,000-$275,000 + Equity. However, a salary higher or lower than this range may be appropriate for a candidate whose qualifications differ meaningfully from those listed in the job description. The above represents the expected salary range for this job requisition. Ultimately, in determining your pay, we’ll consider your location, experience, and other job-related factors. We’re committed to doing the best work of our lives, together. Come see if we're the right team for you. AKASA is a proud equal opportunity employer and we believe that a diverse and inclusive workforce is an imperative. We welcome people of different backgrounds, genders, races, ethnicities, abilities, sexual orientations, and perspectives, just to name a few. We do not discriminate based upon any protected class and we encourage candidates of all identities and backgrounds to apply. AKASA considers qualified applicants regardless of criminal histories in accordance with the San Francisco Fair Chance Ordinance. AKASA is committed to providing reasonable accommodations for candidates with disabilities in our recruiting process. If you need any assistance or accommodations due to a disability, please let us know at View email address on click.appcast.io. #J-18808-Ljbffr AKASA