Senior Product Security Engineer

Details

Collibra is seeking a Senior Product Security Engineer to join the Product Security team. You will be responsible for identifying vulnerabilities and providing remediation consulting for global product development teams. This role provides technical leadership and oversight to ensure Collibra delivers secure, resilient products and services. You will act as an application security evangelist, partnering with engineers and leveraging AI and MCP to create context-aware security automation.

Responsibilities

• Application security for products and/or features supported by your assigned development teams.
• Perform security testing and triage findings identified by SAST, SCA, IAST, DAST, and penetration tests.
• Leverage AI and MCP to create intelligent, context-aware security guidance and automation.
• Provide remediation consulting services to assigned development teams.
• Assist with vulnerability management reporting and tracking.
• Coordinate third-party penetration testing engagements, analyze reports, and open tickets for remediation.
• Contribute to the configuration and management of security tools.

Requirements

• 5+ years of application/product security experience.
• 2+ years securing Java, Python, and/or JavaScript web applications.
• Knowledge of enterprise-level software architecture components and cloud infrastructure.
• Experience building trusted-advisor relationships with engineers, product owners, and engineering management (up to director level).
• Experience with AI security tooling and context-aware automation for the SSDLC.
• Understanding of AI privacy and governance in developer workflows.
• Experience using and building agentic AI systems that work collaboratively.
• Experience advocating for remediation of application security risk while working with development/engineering teams.
• Experience identifying vulnerabilities in source code, providing reproducible exploitation steps, and recommending remediations.
• Working knowledge of Python, Java, and/or JavaScript.
• Experience with Linux and containerization in cloud environments.
• Familiarity with CI/CD concepts and integrated SAST, SCA, and DAST tooling.
• Experience using SAST, DAST, and SCA tooling; triaging vulnerabilities in source code, open-source dependencies, and 3rd-party containers.
• Ability to assess and communicate the impact of Common Vulnerabilities and Weaknesses (CVEs) and advise on risk acceptance/false positives/severity adjustments.
• Experience as an embedded security resource within development teams for vulnerability assessments.
• Working knowledge of the OWASP Top 10 and ability to explain concepts to diverse engineering and people-leader audiences.
• Familiarity with AI standards and regulations (EU AI Act, SAIF, ISO 42001).
• A bachelor’s degree or equivalent related work experience is required.
• This position is not eligible for visa sponsorship. Because this role supports the US government, the candidate must be a US citizen who resides on US soil.

Measures of success

• Within 1 month: absorb fundamental knowledge about Collibra processes/tools and SDLC.
• Within 3 months: own application security engineering tasks for one or more development teams responsible for product features.
• Within 6 months: manage triaging efforts for 3rd-party pen testing and resolve customer product security inquiries independently.

Location & Work Model

• Hybrid role based in Collibra's Raleigh office (Raleigh, North Carolina, USA). The hybrid model requires working from the office at least two days each week.

Compensation

• Base salary range: $168,000 - $210,000 per year.
• Position is not eligible for additional commission-based compensation. Salary offers depend on experience, skills, and location.
• Additional total rewards: bonus potential, equity for eligible roles, a Flex Fund monthly stipend, pension/401(k) plans, and more.

Benefits

• Flexible benefits program including competitive compensation, health coverage, and time off. Learn more via Collibra's benefits and DEI links provided in the original posting.