Senior Security Engineer - Application & Product Security

at CaptivateIQ
πŸ’° $154k-$184k
πŸ‡¨πŸ‡¦ Canada - Remote
πŸ”’ Cybersecurity🟣 Senior

Job description

CaptivateIQΒ  is the leading Sales Performance Management solution, recognized by Forrester and G2, and trusted by customers including Affirm, Gong, and Figma. With solutions for Sales Planning and Incentives, we help revenue teams automate processes, hit revenue targets, and adapt with business change, ultimately driving efficient growth. It’s time to rethink ROI - your return on incentives - with CaptivateIQ.

With backing from Sequoia, Accel, ICONIQ, Sapphire Ventures, and other leading investors, CaptivateIQ is on a mission to enable every company to improve their return on incentives and sales planning.

Come and see why Glassdoor and Comparably have recognized CaptivateIQ as a best place to work!

About the role:

Security is a core value at CaptivateIQ. As we scale and expand our suite of services, embedding security into every phase of product development is critical to building trust in everything we deliver.

As a Senior Security Engineer focused on Application & Product Security, you will own our AppSec strategy - driving threat modeling, secure architecture design, and offensive security testing. You will lead manual and automated penetration testing, manage AppSec tooling (SAST, DAST, SCA), and build developer enablement programs. You’ll also be responsible for vulnerability management, incident response for application-layer events, and ensuring compliance alignment for SOC 2, ISO 27001, and privacy requirements.

This role blends offensive and defensive expertise with strategic influence, giving you the autonomy to shape a scalable, modern AppSec program.

Responsibilities:

  • Threat Modeling & Architecture Reviews Mature and scale a modern threat modeling program across products and services. Enable secure by design architectures in collaboration with Engineering teams.
  • Offensive Security Testing Conduct penetration tests (white-box and black-box) for web applications and APIs. Perform dynamic (DAST), static (SAST), and software composition (SCA) analysis. Simulate adversary attack scenarios to validate controls and identify gaps.
  • Secure SDLC Integration Embed security into every stage of development; implement automated security tooling in CI/CD pipelines.
  • Vulnerability Management Triage and prioritize application-layer vulnerabilities and guide engineering teams through remediation.
  • Developer Enablement Deliver secure development and coding training; create resources to reduce recurring vulnerabilities.
  • Bug Bounty Management Oversee Bug Bounty program, validate findings, and ensure timely resolution.
  • Incident Response Leadership Lead investigations for application-layer security incidents and conduct post-incident analysis.
  • Compliance Enablement Support audits, technical evidence collection, and control design for SOC 2, ISO 27001, and privacy-by-design requirements.
  • Customer TrustContribute to customer security assessments, penetration test reports, and security documentation.

Requirements:

  • 7+ years of experience in a security engineer or related role, including 4+ years specializing in web application, API, and product security.
  • Deep expertise securing multi-tenant SaaS platforms and features.
  • Strong communication and ability to influence software engineers and product managers.
  • Advanced experience conducting penetration tests, code reviews, and vulnerability assessments.
  • Expert knowledge of OWASP Top 10, web application and API security, and common vulnerability classes with practical remediation strategies.
  • Hands-on experience with AppSec tooling (SAST, DAST, SCA) integrated into CI/CD pipelines.
  • Strong programming and scripting skills (Python preferred) and ability to influence secure coding practices.
  • Proven ability to lead incident response for application-layer security events.
  • Familiarity with compliance frameworks (SOC 2, ISO 27001) and secure SDLC practices.
  • Knowledge of privacy-by-design principles and data security in SaaS environments.
  • Awareness of emerging AI/ML security risks and related countermeasures.

Nice to have:

  • Certifications such as OSCP, GCIH, GWAPT, or CISSP.
  • Familiarity with security frameworks such as NIST CSF, MITRE ATT&CK, OWASP ASVS, or ISO 27001.
  • Experience with commercial security tools such as EDR, SIEM, CSPM, CNAPP, vulnerability scanners, bug bounty platforms, WAFs, or compliance automation platforms.
  • Prior experience driving security engineering for a SaaS-based company.
  • Experience leveraging automation or AI/ML tools to improve secure development, detection, incident response, or code analysis workflows.

Benefits:

  • (US-ONLY) 100% of medical, dental, and vision covered including 75% for dependents
  • Flexible vacation days and quarterly mental health days so you can recharge
  • Enjoy a one-time expense on your 1-year work anniversary (to use for travel, home furnishings, fancy meal)
  • (US-ONLY) 401k plan to participate in and save towards the future
  • Newest Apple products to help you do your best work
  • Employee Resource Groups (ERGs) to support and celebrate the shared identities and life experiences of communities within CaptivateIQ. ERGs directly support our company-wide DEI goals as a space for developing and retaining diverse talent

Notice to Prospective Candidates:

  • Only emails from @captivateiq.com should be trusted.
  • We are aware of active recruitment scams using the CaptivateIQ name, in which individuals pose as our recruiters and post fake remote job openings and make fake job offers on the Internet. Please note, we will never do the following:
  • Attempt to correspond with a candidate using a free web-based account, such as an email address that ends in @gmail.com, @yahoo.com, @hotmail.com, etc.
  • Make an offer of employment without conducting multiple rounds of interviews face-to-face using secure video-conferencing technology.
  • Ask candidates to cash checks to buy equipment on behalf of CaptivateIQ.
  • Ask candidates to make a payment in order to be considered for a position.
  • Make early requests for candidates’ personal information such as date of birth, passport details, credit card numbers, bank details and social security number, etc.
  • Please note that we’ll only ask for more sensitive personal information in connection with background checks after an offer is made.
  • Participate in an on-call rotation to provide after-hours support, ensuring timely resolution of critical issues and maintaining system uptime.

$154,500 - $184,713 a year

The base salary range represents the minimum and maximum of the salary range for this position. The actual base salary offered for this position will depend on numerous factors, including individual proficiency, anticipated performance, and the location of the selected candidate. Our base salary is just one component of CaptivateIQ’s competitive total rewards package, which also includes equity awards (a new hire grant, along with opportunities for additional awards throughout your tenure), competitive health and wellness benefits, and a commitment to career growth and development.

CaptivateIQ participates in E-Verify, web-based system that allows enrolled employers to confirm the eligibility of their employees to work in the United States

Share this job:
Please let CaptivateIQ know you found this job on Remote First Jobs πŸ™

Similar Remote Jobs

Latest Jobs at CaptivateIQ

Benefits of using Remote First Jobs

Discover Hidden Jobs

Unique jobs you won't find on other job boards.

Advanced Filters

Filter by category, benefits, seniority, and more.

Priority Job Alerts

Get timely alerts for new job openings every day.

Manage Your Job Hunt

Save jobs you like and keep a simple list of your applications.

Search remote, work from home, 100% online jobs

We help you connect with top remote-first companies.

Search jobs

Hiring remote talent? Post a job

Frequently Asked Questions

What makes Remote First Jobs different from other job boards?

Unlike other job boards that only show jobs from companies that pay to post, we actively scan over 20,000 companies to find remote positions. This means you get access to thousands more jobs, including ones from companies that don't typically post on traditional job boards. Our platform is dedicated to fully remote positions, focusing on companies that have adopted remote work as their standard practice.

How often are new jobs added?

New jobs are constantly being added as our system checks company websites every day. We process thousands of jobs daily to ensure you have access to the most up-to-date remote job listings. Our algorithms scan over 20,000 different sources daily, adding jobs to the board the moment they appear.

Can I trust the job listings on Remote First Jobs?

Yes! We verify all job listings and companies to ensure they're legitimate. Our system automatically filters out spam, junk, and fake jobs to ensure you only see real remote opportunities.

Can I suggest companies to be added to your search?

Yes! We're always looking to expand our listings and appreciate suggestions from our community. If you know of companies offering remote positions that should be included in our search, please let us know. We actively work to increase our coverage of remote job opportunities.

How do I apply for jobs?

When you find a job you're interested in, simply click the 'Apply Now' button on the job listing. This will take you directly to the company's application page. We kindly ask you to mention that you found the position through Remote First Jobs when applying, as it helps us grow and improve our service πŸ™

Apply