Senior Application Security Engineer

Senior Application Security Engineer

At Qualia, we've built the leading B2B real estate technology that transforms the home buying and selling experience into a simple, secure, and enjoyable process. Our SMB and Enterprise products bring together users from across the real estate ecosystem---homebuyers and sellers, lenders, title and escrow agents, and real estate agents---onto a single shared digital closing platform, providing greater clarity and transparency to real estate transactions. Today, through our business customers across the country, millions of consumers use Qualia to close on homes every year.

What You'll Work On

We're hiring a Senior Application Security Engineer to join a small, high-leverage AppSec team. This is a deep-technical IC role with a staff-leaning scope: you'll set the technical direction and own delivery on how we find, fix, and prevent vulnerabilities across Qualia's products and cloud infrastructure, and you'll be the person other engineers want in the room when an architecture decision has a security dimension.

You'll partner daily with product engineering, infrastructure, and platform teams, and you'll work closely alongside our existing AppSec engineers - raising the technical bar of the team while staying deeply hands-on with code, tooling, and adversarial testing. This is the right role for someone who is as comfortable writing a Burp extension or a Semgrep rule as they are pairing with a product engineer to land a fix.

Responsibilities

• Run offensive assessments against Qualia's applications and infrastructure: manual penetration testing, exploit development, authenticated web/API testing, and adversarial review of new designs before they ship
• Lead threat modeling and secure design review for the highest-risk initiatives across the company, and mentor engineers to do the same for their own work
• Own and evolve our AppSec tooling stack end-to-end - SAST, DAST, SCA, secret scanning, IaC scanning, and the CI/CD gates that tie them together. Build the custom rules, detections, and automation that generic tooling doesn't give us
• Harden our cloud posture: review AWS configurations, IAM policies, Kubernetes/EKS workloads, and networking boundaries; build automation and guardrails that prevent the same class of issue from recurring
• Reduce toil for the team - write the tools, scripts, and integrations that turn a day of triage into a few minutes
• Partner with Infrastructure and Platform on detection engineering, incident response support, and cross-cutting programs (secrets management, supply chain, runtime security)
• Set the technical bar for the AppSec team: raise the quality of reviews, establish patterns others can reuse, and mentor peers across seniority levels
• Represent AppSec in architectural reviews, vendor evaluations, and compliance efforts

Your Background That Likely Makes You A Match

• 8+ years of hands-on experience in application security, offensive security, or security engineering, with demonstrable depth in at least two of: offensive testing, security tooling/automation, and cloud/infra security
• Strong offensive skills - you can manually exploit real web and API vulnerabilities beyond what a scanner will find, and you can teach others to do the same
• Deep familiarity with building and operating security tooling in a modern engineering org: SAST/DAST/SCA pipelines, custom detection rules, secrets scanning, and CI/CD security gates. You've written tooling, not just configured it
• Production experience with AWS (IAM, VPC, networking, data services), containerized workloads (Docker, Kubernetes/EKS), and infrastructure-as-code (Terraform or similar)
• Comfort reading, reviewing, and contributing code in at least one language common to modern web stacks (Python, Go, Ruby, TypeScript, or similar)
• Clear, direct communication style. You can make a sharp technical argument to senior engineers, translate risk into business terms for leadership, and write a bug report an engineer actually wants to fix
• Strong partnership instincts - you get leverage by making other teams faster, not by blocking them

Nice to have:

• Experience in fintech, proptech, healthcare, or another regulated industry where data sensitivity is high
• Background meaningfully contributing to a bug bounty program
• Experience with identity and access systems (OIDC, SAML, federation, fine-grained authorization)
• Detection engineering, DFIR, or red-team experience
• Open source contributions to security tooling, published research, or CVE credits
• Relevant certifications (OSCP, OSWE, GWAPT, GPEN, etc.) - valued but not required

While this role is remote work eligible, we have three office locations: San Francisco, California; Concord, New Hampshire; and Austin, Texas.

This role has a base annual salary of $180,000-$210,000 plus a competitive equity and benefits package. (Salary to be determined by relevant experience, location, knowledge, and skills of the applicant, internal equity, and alignment with market data.)