Principal Security Engineer

Who We Are Looking For

We are looking for a hands-on security leader and subject matter expert in application security and AI security, responsible for defining the architectural security goals and implementation strategy for WebPT’s cloud-native SaaS environments. This engineer serves as the security team’s technical anchor—performing deep dives into complex application and system designs, evaluating AI/ML platform risks, and translating security requirements into practical engineering guidance that enables the business rather than slowing it down.

Working closely with engineering leadership, product managers, and third-party development partners, this leader This person will be the voice of security in architecture reviews, design sessions, and vendor evaluations, ensuring that security and compliance are built in from the start.

 

What You’ll Be Doing As A Part of Our Team

Application Security Architecture

• Security Design Reviews: Lead application security architecture reviews for WebPT’s SaaS platforms, including new feature designs, third-party integrations, and major platform changes submitted through the change management process.
• Threat Modeling: Own and facilitate threat modeling sessions with product and engineering stakeholders, translating findings into actionable developer guidance, architectural guardrails, and risk-accepted documentation.
• Secure SDLC: Help define and evolve WebPT’s Secure Software Development Lifecycle (SDLC), embedding security checkpoints into GitLab CI/CD pipelines and development workflows without creating unnecessary friction.
• SAST/DAST Ownership: Oversee application security testing tooling, triage findings by risk, and drive remediation with engineering teams—balancing thoroughness with the pace of a lean environment.
• API & Auth Standards: Serve as the internal authority on API security, secrets management, authentication and authorization patterns (OAuth 2.0, SAML, OIDC), and input validation across microservices and legacy systems.

 

AI Security & Governance

• AI Security: Serve as the primary security resource for AI/ML integration decisions, including agentic AI workflows, LLM-based features, ambient listening, and third-party AI platform technologies.
• AI Governance Framework: Define and maintain WebPT’s AI security standards and AI vendor risk assessment criteria, including evaluation of AI/ML platforms for HIPAA BAA compliance, data residency, prompt injection risk, and model confidentiality.
• AI Security Controls: Partner with engineering and product to design security guardrails for AI feature development: input/output validation, audit logging, human-in-the-loop controls, and AI supply chain integrity.
• Shadow AI Discovery: Drive AI Shadow IT discovery and governance initiatives, analyzing telemetry from Wiz, CrowdStrike, and network/DNS sources to identify unauthorized AI tool usage across the environment.
• Emerging Threat Awareness: Stay current with AI threat vectors and regulatory guidance (NIST AI RMF, OWASP LLM Top 10, HHS AI policy) and translate these into WebPT-specific controls and policy updates.

 

Cloud & Infrastructure Security

• Cloud Security Posture: Partner with Cloud Operations to maintain and continuously improve WebPT’s security posture across cloud environments, leveraging Wiz for cloud security assessment and misconfiguration detection.
• IaC & Container Security: Provide security architecture input for infrastructure-as-code pipelines, container security, and CI/CD pipeline hardening in GitLab.
• Vulnerability Management: Contribute to vulnerability management strategy including EOL technology remediation, CVE triage, and risk-based prioritization in partnership with Cloud Operations and the broader security team.
• WAF & Network Controls: Provide security guidance on WAF configuration (F5), network segmentation, and secrets management across the production environment.

 

Security Leadership & Cross-Functional Partnership

• Engineering Partnership: Participate actively in change management and security review processes, providing timely, risk-calibrated assessments and serving as a trusted partner to engineering—not a gatekeeper.
• Team Mentorship: Mentor other engineers on the Security team, providing technical coaching on application security concepts, tool usage, and security investigation techniques.
• Documentation & Evangelism: Produce clear security architecture decision records, threat model summaries, risk assessments, and remediation roadmaps; evangelize secure development practices across the engineering organization.
• Executive Communication: Represent security in cross-functional forums with engineering, product, and operations leadership; translate complex security risks into business-relevant language for board- and investor-ready reporting.
• PEN Testing & Compliance: Contribute to external penetration test scoping, coordination, and remediation, and support SOC 2 Type II and HIPAA compliance audit cycles as a technical subject matter expert.

What You Should Have to Qualify

• Education & Experience: Bachelor’s degree in Computer Science, Information Security, or a related technical field, with 8+ years of progressive security engineering experience, including at least 4 years in a senior or principal application security or product security role.
• Application Security Expertise: Deep technical proficiency in OWASP Top 10, threat modeling, SAST/DAST tooling, secure code review, API security, and authentication/authorization patterns. You must be comfortable reading code in TypeScript/JavaScript and Python and engaging meaningfully with engineering teams on security trade-offs.
• AI/ML Security Knowledge: Demonstrated understanding of AI/ML security risks including prompt injection, model supply chain attacks, data leakage in LLM integrations, and agentic AI trust boundaries. Proven experience with OWASP LLM Top 10 and NIST AI RMF.
• Cloud-Native SaaS Experience: Hands-on experience securing cloud-native SaaS applications, preferably on AWS with containerized and Kubernetes workloads, IaC pipelines, and microservices architectures.
• Vendor Risk Assessment: Proven experience evaluating third-party AI/ML platforms and vendors for security and compliance risk in HIPAA-regulated or similarly regulated environments, including BAA assessment and data handling review.
• Independent Execution: Proven ability to operate independently in a fast-paced, lean environment and influence engineering outcomes without direct authority. This is a small team—you will own your domains fully.
• Communication: Excellent written and verbal communication skills; able to translate technical risk into business impact for executive and non-technical stakeholders, including board- and investor-level reporting.
• HIPAA & Compliance: Strong working knowledge of HIPAA Security Rule requirements as applied to a cloud SaaS architecture, and experience supporting SOC 2 Type II compliance programs.

 

Ideally, You Would Also Have These

• Certifications: One or more industry certifications: OSCP, CSSLP, AWS Security Specialty, CISSP, or equivalent security practitioner credential.
• Healthcare Domain Knowledge: Familiarity with clinical documentation standards, EMR data sets, and the nuances of HIPAA compliance in a SaaS product context.
• Security Tooling Experience: Hands-on experience with Wiz, CrowdStrike Falcon, Rapid7 InsightIDR/InsightVM, or comparable enterprise cloud and endpoint security platforms.
• AI Framework Familiarity: Exposure to agentic AI development frameworks and an understanding of how these architectures introduce novel security challenges.
• GitLab & Supply Chain Security: Experience with GitLab CI/CD pipeline security, dependency scanning, and software supply chain security controls.
• PAM Experience: Familiarity with privileged access management solutions (Teleport, BeyondTrust, CyberArk) and certificate-based access control models.
• Team Mentorship & Influence: Previous experience providing technical leadership in a hybrid internal/external team environment, shaping security standards across engineering without formal authority.

 

Culture is at our Core

• Service: Create Raving Fans
• Accountability: F Up; Own Up
• Attitude: Possess True Grit
• Personality: Be Minty
• Work Ethic: Be Rock Solid
• Community Outreach: Give Back
• Health and Wellness: Live Better
• Resource Efficiency: Do Más With Menos

 

About Us

Here, we work hard—but we have lots of fun doing it. We believe in equal opportunity for all, autonomy, trailblazing, and always doing right by our Members. Most importantly, though, we believe in empowering rehab therapy professionals to achieve greatness in practice. So, if you’re a can-do kinda person who loves to help Members win and enjoys working from just about anywhere—then you’ll fit right in. We’ve got big plans, but we can’t achieve them without you. Join us, and let’s achieve greatness.

#LI-MS1

#LI-Remote