Responsibilities
- Identifying vulnerabilities, demonstrating business impact, and articulating the risk of specific vulnerabilities to drive prioritization efforts
- Perform penetration testing and design reviews, looking for vulnerabilities and insecure designs, work with engineering and product to design secure product features
- Maintain and build internal tools to automate security efforts, perform SAST and DAST testing of the Brex platform, and support secure development practices
- Build and contribute to a culture of collaborative security excellence through technical leadership, learning sessions, and mentorship within the team and wider organization
Requirements
- 5+ years work experience in an Application Security or related role
- Ability to find vulnerabilities in complex systems, demonstrating business impact through custom attack chains
- Experience with a wide range of secure development activities including— threat modeling, developer education, and incident response
- Knowledge of Python, scripting languages, and AI/agentic workflows to automate tasks, build tools and improve productivity
- Collaborative mindset paired with strong written and verbal communication skills
Nice to Have
- Proficiency with Kotlin, gRPC, GraphQL, Kubernetes
- Previous experience as a software engineer
- Consultancy experience performing web application security reviews
- Experience with securing distributed systems in AWS and cloud environments
- Experience with pentesting and securing agentic features and systems
- Contributions to the wider technical community— open source, public research, mentorship, community organizing, blogging, CVEs, presentations, etc
- Experience submitting to bug bounty programs or responsible disclosure programs
Team
Structure: Application Security is part of the wider Financial Scale organization, working closely with Security Operations, GRC, Product Security, Front End Platform, and IT Infrastructure teams.
Additional Information
- Brex LLC is a wholly owned subsidiary of Capital One, N.A.
- Job-seekers may be at risk of targeting by malicious actors looking for personal data. Brex recruiters will only reach out via LinkedIn or email with a brex.com domain. Any outreach claiming to be from Brex via other sources should be ignored.