Responsibilities
- Define and lead product security strategy across web, mobile, API, cloud, infrastructure, and container security — conducting threat modeling, risk assessments, and security reviews throughout the development lifecycle with a strong shift-left focus.
- Embed secure development practices by designing and implementing secure coding standards, encryption, and security testing methodologies in close collaboration with development and ML teams, ensuring products are secure, resilient, and trustworthy.
- Own Enterprise AI Security end-to-end — from securing LLM integrations, agentic pipelines, and ML model ingestion to defending against AI-specific threats (prompt injection, data poisoning, model extraction, RAG poisoning, ), building AI incident response playbooks, and red-teaming AI systems across Recursion's product surfaces.
- Secure the AI supply chain and MLOps infrastructure by vetting third-party foundation models, open-source weights, and AI APIs before production integration, and partnering with ML engineering to protect training pipelines, feature stores, and model serving endpoints.
- Champion compliance and AI governance by operationalizing frameworks such as OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, and EU AI Act requirements — collaborating with legal, privacy, and responsible AI teams to support audits and evolving regulatory expectations.
- Scale security as a force multiplier by evaluating and deploying security tooling, detecting policy violations, driving security outcomes, and ensuring security initiatives never become a bottleneck to business objectives.
- Elevate the security culture across the organization by serving as a subject matter expert, mentoring engineering teams, and leading incident response efforts from investigation through mitigation and prevention.
- Maintain the security foundation through thorough documentation — including security requirements, guidelines, and incident response plans — and hands-on penetration testing and code reviews to simulate and get ahead of real-world threats.
Requirements
- Bachelor's or Master's degree in Computer Science, Information Security, or a related field, with 10+ years of experience in product security or application security and a proven track record securing complex products.
- Deep understanding of security principles, threats, and countermeasures as they relate to product design and development, with familiarity across standards and frameworks including OWASP, NIST, ISO/IEC 27001, and CVSS-based vulnerability prioritization.
- Hands-on proficiency with penetration testing frameworks and tools (Metasploit, Burp Suite, Nmap, Wireshark), web application attack techniques (SQL injection, XSS, CSRF, OWASP Top Ten), and the ability to simulate real-world attacks and assess their impact.
- Expertise in one or more programming languages (e.g., Python, Java, C++) with strong command of secure coding practices, encryption standards, and integrating security tooling into CI/CD and development workflows.
- Demonstrated experience securing AI/ML systems and LLM-powered or agentic products in production — including familiarity with AI attack surfaces (prompt injection, data poisoning, model extraction, membership inference, RAG poisoning) and hands-on red-teaming of AI pipelines and agentic workflows.
- Working knowledge of AI security frameworks (OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, EU AI Act) and experience vetting third-party foundation models, open-source weights, and AI APIs as part of a structured supply chain security program.
- Familiarity with securing ML infrastructure — including training pipelines, experiment tracking, model registries, and inference endpoints — and designing least-privilege access controls for AI agents with external system or tool access.
- Excellent communication and influencing skills, with the ability to drive security initiatives across engineering, legal, privacy, and executive stakeholders and mentor teams on security best practices.
Nice to Have
- CISSP, OSCP, or GWAPT for core security credentialing, plus AI-focused certifications such as GAISC, Offensive ML (OffSec), or cloud provider AI security tracks (AWS/GCP).
Team
Structure: growing Information Security team
