What you'd actually do

Lead the technical vision and strategic roadmap for the Application Security team, aligning security objectives with Brex's enterprise growth and high-velocity engineering metrics.

Establish technical standards and secure defaults across the entire engineering organization, fostering a culture of collaborative security excellence and bridging product platforms, infra, and trust.

Architect and secure novel AI/ML and agentic workflows, applying cutting-edge practices to mitigate risks such as prompt injection, model manipulation, and data poisoning.

Mentor and coach engineers within the team and across the broader organization, guiding technical growth, helping individuals level up their security expertise, and accelerating team delivery.

Drive proactive vulnerability discovery and offensive security testing strategies, executing complex attack chains to demonstrate business impact and prioritize cross-functional remediation.

Skills

Required

Application Security
Product Security
software engineering
penetration testing
vulnerability management
AI security
agentic architectures
LLM gateways
adversarial AI vectors
threat modeling
cloud-native container security
AWS
Kubernetes
Python
Go

Nice to have

Kotlin
gRPC
GraphQL
Kubernetes
building and scaling security teams
securing distributed systems in AWS
open source contributions
public research
CTF participation
blogging
CVEs
presentations
bug bounty programs
responsible disclosure programs
AI security research
AI security frameworks

What the JD emphasized

Deep proficiency and technical expertise in AI security, including hands-on experience securing agentic architectures, LLM gateways, and evaluating adversarial AI vectors.

Architect and secure novel AI/ML and agentic workflows, applying cutting-edge practices to mitigate risks such as prompt injection, model manipulation, and data poisoning.

Why join us

Brex is the intelligent finance platform that enables companies to spend smarter and move faster in more than 200 markets. By combining global corporate cards and banking with intuitive spend management, bill pay, and travel software, Brex enables founders and finance teams to accelerate operations, gain real-time visibility, and control spend effortlessly. Brex’s AI-native automation and world-class service eliminate manual expense and accounting tasks for customers so they can focus on what matters most. Tens of thousands of the world's best companies run on Brex, including DoorDash, Coinbase, Robinhood, Zoom, Plaid, Reddit, and SeatGeek.

Working at Brex allows you to push your limits, challenge the status quo, and collaborate with some of the brightest minds in the industry. We’re committed to building a diverse team and inclusive culture and believe your potential should only be limited by how big you can dream. We make this a reality by empowering you with the tools, resources, and support you need to grow your career.

Engineering at Brex

Engineering at Brex is about building systems that scale with speed and intention. Our teams span Software, Data, Security, and IT, and operate with high autonomy and deep collaboration. We tackle hard technical problems, own our outcomes, and push for excellence at every level — from architecture to deployment. It’s an environment where engineering is a craft, and builders become leaders.

What you’ll do

As a Staff Application Security Engineer, you will define the technical vision and long-term security architecture for the Brex platform. You will serve as the technical leader for the Application Security team, driving the strategic direction of our secure product lifecycle and vulnerability management programs. This role is highly cross-functional, requiring you to establish deep, collaborative connections across the broader engineering organization to embed security seamlessly into high-velocity development pipelines.

We're looking for individuals with a solid foundation in penetration testing and a curiosity for finding vulnerabilities in complex systems. You should have experience identifying and documenting vulnerabilities across common vulnerability classes and be able to communicate their risk clearly to engineering and product teams.

Brex is pioneering the next wave of AI-driven financial services for dynamic, high-impact companies like Coinbase, Robinhood, and Anthropic. As we integrate AI across our product suite, you will be at the forefront of securing our novel AI implementations, identifying emerging attack vectors in agentic-powered features, and hardening distributed LLM architectures. You will mentor team members, raise the technical bar for the organization, and partner with product and engineering leaders to build AI capabilities our customers can trust with their critical financial operations.

Where you’ll work

This role will be based in our San Francisco office. We are a hybrid environment that combines the energy and connections of being in the office with the benefits and flexibility of working from home. We currently require 3 days per week in the office - Monday, Wednesday and Thursday. As a perk, we also have up to four weeks per year of fully remote work!

Responsibilities:

Lead the technical vision and strategic roadmap for the Application Security team, aligning security objectives with Brex's enterprise growth and high-velocity engineering metrics.
Establish technical standards and secure defaults across the entire engineering organization, fostering a culture of collaborative security excellence and bridging product platforms, infra, and trust.
Architect and secure novel AI/ML and agentic workflows, applying cutting-edge practices to mitigate risks such as prompt injection, model manipulation, and data poisoning.
Mentor and coach engineers within the team and across the broader organization, guiding technical growth, helping individuals level up their security expertise, and accelerating team delivery.
Drive proactive vulnerability discovery and offensive security testing strategies, executing complex attack chains to demonstrate business impact and prioritize cross-functional remediation.
Partner with Product Platform, Cloud Infrastructure, and Data engineering teams to ensure core primitives, APIs, and microservices are secure by default from design to deployment.

Requirements:

8+ years of experience in Application Security, Product Security, or software engineering with a primary focus on offensive and defensive application security.
Proven track record of technical leadership and team mentorship on complex, multi-quarter security engineering initiatives in a fast-paced environment.
Deep proficiency and technical expertise in AI security, including hands-on experience securing agentic architectures, LLM gateways, and evaluating adversarial AI vectors.
Strong systems-thinking capabilities with extensive experience defining secure product development lifecycles, threat modeling complex topologies, and cloud-native container security (AWS, Kubernetes).
Proficiency in Python, Go, or similar languages to architect internal tooling, pipeline automation, and advanced detection/scanning engines.
Exceptional written and verbal communication skills, with a demonstrated ability to navigate ambiguity, influence technical leaders, and manage up and out across EPD organizations.

Bonus Points:

Experience with Kotlin, gRPC, GraphQL, Kubernetes
Previous experience in building and scaling security teams
Experience with securing distributed systems in AWS and cloud environments
Contributions to the wider technical community — open source, public research, CTF participation, blogging, CVEs, or presentations
Experience submitting to bug bounty or responsible disclosure programs
Published AI security research or contributions to AI security frameworks

Compensation:

The expected salary range for this role is $240,000 USD - $300,000 USD. However, the starting base pay will depend on a number of factors including the candidate’s location, skills, experience, market demands, and internal pay parity. Depending on the position offered, equity and other forms of compensation may be provided as part of a total compensation package.

Please be aware, job-seekers may be at risk of targeting by malicious actors looking for personal data. Brex recruiters will only reach out via LinkedIn or email with a brex.com domain. Any outreach claiming to be from Brex via other sources should be ignored.