Staff+ Security Engineer, Risk Engineering

Staff+ Security Engineer, Risk Engineering

San Francisco, CA | New York City, NY | Seattle, WA

About Anthropic

Anthropic's mission is to create reliable, interpretable, and steerable AI systems. We want AI to be safe and beneficial for our users and for society as a whole. Our team is a quickly growing group of committed researchers, engineers, policy experts, and business leaders working together to build beneficial AI systems.

About the Role

The Security Risk team is responsible for how Anthropic identifies, prioritizes, and drives treatment of its most important security risks. We are rebuilding risk management to operate as an engineering function through automation and AI-native platforms to enable decision making. The systems we assess span Anthropic's full security landscape, from authorization primitives to cryptographic foundations, so the team needs breadth across domains and the ability to go deep in any of them. Security Risk, in deep partnership with Security Engineering, will help define the security program to shape how both engineers and non-engineers build and ship software.

The conventional GRC playbook was not built for a company shipping frontier AI. You will help define what replaces it, with a direct line to CISO-level decisions and the mandate to build the AI-native platform underneath. You'll work across a breadth of areas from identity and secrets management to infrastructure security, with your focus shaped by your strengths, ability to learn quickly, and the team's priorities. This is largely greenfield work, and you will help define the architecture and discipline.

Key Responsibilities

• Take ownership of Anthropic's most complex security risk problems and drive them end to end with minimal oversight, turning ambiguous signals into a defensible view of severity and likelihood and seeing them through escalation, treatment decisions, and remediation
• Build the systems that make risk measurable and let risk work scale, including quantification tooling, automated intake and triage, and the observability that partner teams use to understand their own risk posture
• Work alongside Security Engineering as a calibrated technical peer who pressure tests architectures and treatment plans, translates findings into prioritized remediation roadmaps, and makes the investment case for what to fix now, what to accept and track, and what to defer
• Mentor engineers and risk practitioners across Security and the broader engineering organization, and help build a risk engineering culture in which teams own their risks and our team provides the visibility and judgment that supports the
• Security Risk Engineering
  • Work across the breadth of Anthropic's security landscape, spanning areas like identity and secrets management, developer security and supply chain, infrastructure security, and secure frameworks, and build the context needed to reason about risk credibly in each
  • Go deep where a risk demands it, understanding how these systems are built and how they fail so that assessments and treatment plans reflect engineering reality rather than abstraction
• Risk Assessment and Quantification
  • Identify systematic risks through threat modeling and structured assessment, then drive the severity calibration and escalation conversations that follow, bringing leadership a defensible position and a clear recommendation that holds up under pointed questions
  • Contribute to the team's quantitative risk work, applying methods such as calibrated estimation and Monte Carlo simulation where they meaningfully change a resource or treatment decision
• Risk Platform and Automation
  • Design and build AI-native risk tooling that uses Claude to classify incoming risks, augment triage, and continuously sense changes in our risk landscape as teams ship
  • Create the dashboards and data pipelines that give engineering and product teams real-time visibility into their risk posture and make distributed ownership of risk practical
• Remediation Strategy and Investment
  • Partner with Security Engineering and risk owners to design remediation roadmaps that are explicit about sequencing, ownership, and the investment required
  • Measure outcomes rather than activity, focusing on decisions made and risk reduced

Minimum Qualifications

• At least 8 years of software engineering or security engineering experience, including leading and remediating complex security risks independently
• Bachelor's degree in a related field or equivalent experience
• Strong programming skills in Python or at least one systems language such as Go, Rust, or C/C++
• Broad knowledge across the core security engineering domains, with depth in at least one, including identity and secrets management, developer security and supply chain, infrastructure and cloud security, and secure frameworks
• Calibrated risk judgment, meaning you can put a defensible severity and likelihood on an ambiguous problem and change your position when the evidence changes
• Experience leading cross-functional security initiatives and navigating complex organizational dynamics
• Outstanding communication skills, translating technical concepts effectively across all levels of the organization
• A track record of bringing clarity and ownership to ambiguous technical problems and driving them to resolution
• Low ego and high empathy, with a history of growing the engineers around you and supporting diverse, inclusive teams
• Passion for AI safety and the role security and risk management play in building trustworthy AI systems

Preferred Qualifications

• Owned a named security risk and driven it from discovery through remediation across multiple teams
• Briefed executives on risk decisions and defended accept, remediate, or transfer recommendations under challenge
• Built security automation, detection, or risk platforms adopted across an engineering organization
• Shipped LLM or agent-powered tooling and workflows that automate security or risk activities
• A security engineering, detection engineering, or offensive security background with a risk-based prioritization mindset
• Built or operated a quantified security risk program (FAIR-style decomposition, Monte Carlo simulation, loss exceedance analysis) whose outputs changed real resource decisions
• Enough familiarity with SOC 2, ISO 27001, or FedRAMP to know what compliance does and does not buy you

Logistics

Minimum education: Bachelor's degree or an equivalent combination of education, training, and/or experience

Required field of study: A field relevant to the role as demonstrated through coursework, training, or professional experience

Minimum years of experience: Years of experience required will correlate with the internal job level requirements for the position

Location-based hybrid policy: Currently, we expect all staff to be in one of our offices at least 25% of the time. However, some roles may require more time in our offices.

Visa sponsorship: We do sponsor visas! However, we aren't able to successfully sponsor visas for every role and every candidate. But if we make you an offer, we will make every reasonable effort to get you a visa, and we retain an immigration lawyer to help with this.

We encourage you to apply even if you do not believe you meet every single qualification. Not all strong candidates will meet every single qualification as listed. Research shows that people who identify as being from underrepresented groups are more prone to experiencing imposter syndrome and doubting the strength of their candidacy, so we urge you not to exclude yourself prematurely and to submit an application if you're interested in this work. We think AI systems like the ones we're building have enormous social and ethical implications. We think this makes representation even more important, and we strive to include a range of diverse perspectives on our team. Your safety matters to us. To protect yourself from potential scams, remember that Anthropic recruiters only contact you from @anthropic.com email addresses. In some cases, we may partner with vetted recruiting agencies who will identify themselves as working on behalf of Anthropic. Be cautious of emails from other domains. Legitimate Anthropic recruiters will never ask for money, fees, or banking information before your first day. If you're ever unsure about a communication, don't click any links—visit anthropic.com/careers directly for confirmed position openings.

How We're Different

We believe that the highest-impact AI research will be big science. At Anthropic we work as a single cohesive team on just a few large-scale research efforts. And we value impact — advancing our long-term goals of steerable, trustworthy AI — rather than work on smaller and more specific puzzles. We view AI research as an empirical science, which has as much in common with physics and biology as with traditional efforts in computer science. We're an extremely collaborative group, and we host frequent research