[Remote] Application Security Engineer

Note: The job is a remote job and is open to candidates in USA. Arcadia is the AI-powered energy intelligence platform for businesses. They are seeking a technically hands-on Application Security Engineer to join the Information Security team, responsible for owning the vulnerability management lifecycle and integrating security automation into the CI/CD pipeline.

Responsibilities

• Own the end-to-end vulnerability management lifecycle: triage, prioritize, and drive remediation of findings from SAST, DAST, and SCA tooling in partnership with engineering squads
• Maintain, optimize, and extend security tooling integrations within the CI/CD pipeline with the goal of automating everything that can be automated
• Launch and run a Security Champions program, including workshops and office hours, to embed security knowledge directly into development teams across multiple geographies
• Act as the application-layer subject matter expert during security incidents, supporting triage, root cause analysis, and remediation
• Partner with Product and Engineering leadership to introduce security touchpoints earlier in the SDLC, including threat modeling and design review processes

Skills

• 3–5 years of dedicated Application Security experience in a SaaS or cloud-native environment
• Hands-on proficiency with at least two of the following: SAST, DAST, SCA, or CSPM tooling (e.g., Snyk, Checkmarx, Semgrep, Wiz)
• Strong working knowledge of CI/CD pipelines (e.g., GitHub Actions, Jenkins, GitLab CI) and the ability to write and maintain pipeline integrations
• Experience with container security (Docker, Kubernetes) and API security patterns (REST, GraphQL)
• Demonstrated ability to communicate technical risk to non-security engineers in a way that drives action, not anxiety
• Experience standing up or maturing a Security Champions program
• Familiarity with cloud-native AWS security services (GuardDuty, Security Hub, IAM Access Analyzer)
• Exposure to threat modeling frameworks (STRIDE, PASTA, or lightweight equivalents)
• Relevant certifications (OSCP, GWAPT, CSSLP) — valued but not required

Benefits

• "Remote first" culture - work anywhere in the US as long as you have a reliable internet connection
• Flexible PTO - no accrued hours and no limit on the number of vacation days exempt employees can take each year
• 12 annual holidays
• 10 days sick leave
• Up to 4 weeks bereavement leave
• 2 volunteer days off
• 2 professional development days off
• 12 weeks paid parental leave for *all* parents
• 75-95% employer cost coverage for medical, dental, and vision benefits for employees and dependents

Company Overview