Staff+ Application Security Engineer - M&A

USD 320,000-485,000 per year
SENIOR
✅ Hybrid
✅ Visa Sponsorship

Used Tools & Technologies

Not specified

Required Skills & Competences

Security @ 4 Go @ 4 TypeScript @ 4 Python @ 4 Leadership @ 4 Communication @ 4 Rust @ 4 Reporting @ 4 Due Diligence @ 4 LLM @ 4 AI @ 4

Details

Anthropic’s mission is to create reliable, interpretable, and steerable AI systems. The Application Security team secures the systems that build, serve, and increasingly are Claude — and as Anthropic's footprint grows, that mandate now extends to companies and codebases we bring in from outside. This role establishes that function for M&A: owning security due diligence and secure integration for acquisitions, formalizing the playbook, risk model, and tooling, and automating repeatable parts of diligence and integration.

Responsibilities

  • Lead pre-close security due diligence on prospective acquisitions: coordinate external penetration testing, threat-model the target's architecture, assess security controls, and deliver the security risk readout for leadership ahead of close and integration planning.
  • Drive post-close security integration: stand up static and dynamic analysis coverage on acquired codebases, track high- and critical-severity remediation to closure, fold acquired assets into bug bounty scope, and onboard repositories to Anthropic's automated vulnerability remediation and reporting systems.
  • Coordinate adjacent security engineering teams (supply chain, cloud, corporate security, detection & response) on their portions of each integration.
  • Work across stakeholders on every deal — corporate development, legal, security leadership, engineering teams inheriting acquired systems, and external engineering/security counterparts — translating between them and keeping the security workstream legible.
  • Formalize and scale Anthropic's M&A security playbook: risk-scoring model, diligence runbook, integration checklist — and convert as much as possible into Claude-powered tooling rather than manual processes.
  • Share the team's operational on-run rotation (bug bounty escalations, launch consults, incident response), swapping out during periods of active deal work.
  • Contribute to core AppSec projects between deals — secure design reviews, threat modeling for agentic systems, and the team's security automation roadmap.

Minimum qualifications

  • Hands-on application and infrastructure security experience, including cloud and containerized environments.
  • Demonstrated ability to rapidly assess an unfamiliar codebase or architecture and produce a clear, prioritized risk assessment for a non-security audience.
  • Production-quality coding ability in at least one of: Python, Go, Rust, or TypeScript.
  • Practical threat-modeling and vulnerability-identification skills — experience finding and reasoning about real bugs in real systems.
  • Comfort operating with high autonomy, ambiguity, and tightly-held confidential context.
  • Clear written and verbal communication across varied audiences — executives, legal and corporate development partners, and engineering counterparts at an acquired company.

Preferred qualifications

  • 7+ years in application security, security consulting, or security architecture.
  • Prior M&A security due diligence, third-party security assessment, or technical due diligence experience.
  • Experience standing up or scaling SAST/DAST, bug bounty, or vulnerability management coverage across multiple codebases.
  • Track record of building security automation or tooling rather than relying solely on manual review.
  • Familiarity with using LLMs as a core part of your security workflow.
  • Experience securing agentic, code-execution, or LLM-integrated systems.

Representative projects

  • Use Anthropic's internal LLM-driven code analysis and AI-assisted scanning on an acquired repository and turn the output into a prioritized remediation plan in days rather than weeks.
  • Design the risk-scoring framework Anthropic uses to compare security posture across acquisitions of different shapes and sizes.
  • Build automation to onboard an acquired codebase to Anthropic's vulnerability dashboard, dependency auto-patching, and bounty scope without a human running a checklist.
  • Write the security risk memo for a live deal and present it to corporate development and security leadership.

Compensation

Annual Salary: $320,000 - $485,000 USD

Logistics

  • Minimum education: Bachelor’s degree or equivalent combination of education, training, and/or experience.
  • Location: Remote-Friendly (Travel-Required); listed locations include San Francisco, CA; Seattle, WA; and New York City, NY. Anthropic expects staff to be in one of its offices at least 25% of the time for many roles.
  • Visa sponsorship: Anthropic states they do sponsor visas and retain an immigration lawyer to help when they make an offer.

How we're different

Anthropic works as a cohesive team on large-scale AI research efforts, values communication, and emphasizes impactful, collaborative research and engineering. The team often uses Claude and LLM-driven tooling as part of workflows.

More jobs at Anthropic

Similar jobs