Used Tools & Technologies
Not specified
Required Skills & Competences
Tag name is followed by "@" symbol and proficiency level value.
About proficiency levels:
- 1-2 — basic awareness. Minimal hands-on experience, and a rudimentary understanding of the technology's purpose;
- 3-6 — daily use. Comfortable and regular usage, capable of handling common tasks and challenges related to the technology;
- 7-9 — you are an expert, you can teach others, you know all the pitfalls and tricks;
- 10 — exceptional knowledge, comprehensive understanding, and adeptness in all aspects of the technology, including advanced problem-solving. Think twice before claiming or demanding such level.
Security @ 4
Go @ 4
TypeScript @ 4
Python @ 4
Leadership @ 4
Communication @ 4
Rust @ 4
Reporting @ 4
Due Diligence @ 4
LLM @ 4
AI @ 4
- 1-2 — basic awareness. Minimal hands-on experience, and a rudimentary understanding of the technology's purpose;
- 3-6 — daily use. Comfortable and regular usage, capable of handling common tasks and challenges related to the technology;
- 7-9 — you are an expert, you can teach others, you know all the pitfalls and tricks;
- 10 — exceptional knowledge, comprehensive understanding, and adeptness in all aspects of the technology, including advanced problem-solving. Think twice before claiming or demanding such level.
Details
Anthropic’s mission is to create reliable, interpretable, and steerable AI systems. The Application Security team secures the systems that build, serve, and increasingly are Claude — and as Anthropic's footprint grows, that mandate now extends to companies and codebases we bring in from outside. This role establishes that function for M&A: owning security due diligence and secure integration for acquisitions, formalizing the playbook, risk model, and tooling, and automating repeatable parts of diligence and integration.
Responsibilities
- Lead pre-close security due diligence on prospective acquisitions: coordinate external penetration testing, threat-model the target's architecture, assess security controls, and deliver the security risk readout for leadership ahead of close and integration planning.
- Drive post-close security integration: stand up static and dynamic analysis coverage on acquired codebases, track high- and critical-severity remediation to closure, fold acquired assets into bug bounty scope, and onboard repositories to Anthropic's automated vulnerability remediation and reporting systems.
- Coordinate adjacent security engineering teams (supply chain, cloud, corporate security, detection & response) on their portions of each integration.
- Work across stakeholders on every deal — corporate development, legal, security leadership, engineering teams inheriting acquired systems, and external engineering/security counterparts — translating between them and keeping the security workstream legible.
- Formalize and scale Anthropic's M&A security playbook: risk-scoring model, diligence runbook, integration checklist — and convert as much as possible into Claude-powered tooling rather than manual processes.
- Share the team's operational on-run rotation (bug bounty escalations, launch consults, incident response), swapping out during periods of active deal work.
- Contribute to core AppSec projects between deals — secure design reviews, threat modeling for agentic systems, and the team's security automation roadmap.
Minimum qualifications
- Hands-on application and infrastructure security experience, including cloud and containerized environments.
- Demonstrated ability to rapidly assess an unfamiliar codebase or architecture and produce a clear, prioritized risk assessment for a non-security audience.
- Production-quality coding ability in at least one of: Python, Go, Rust, or TypeScript.
- Practical threat-modeling and vulnerability-identification skills — experience finding and reasoning about real bugs in real systems.
- Comfort operating with high autonomy, ambiguity, and tightly-held confidential context.
- Clear written and verbal communication across varied audiences — executives, legal and corporate development partners, and engineering counterparts at an acquired company.
Preferred qualifications
- 7+ years in application security, security consulting, or security architecture.
- Prior M&A security due diligence, third-party security assessment, or technical due diligence experience.
- Experience standing up or scaling SAST/DAST, bug bounty, or vulnerability management coverage across multiple codebases.
- Track record of building security automation or tooling rather than relying solely on manual review.
- Familiarity with using LLMs as a core part of your security workflow.
- Experience securing agentic, code-execution, or LLM-integrated systems.
Representative projects
- Use Anthropic's internal LLM-driven code analysis and AI-assisted scanning on an acquired repository and turn the output into a prioritized remediation plan in days rather than weeks.
- Design the risk-scoring framework Anthropic uses to compare security posture across acquisitions of different shapes and sizes.
- Build automation to onboard an acquired codebase to Anthropic's vulnerability dashboard, dependency auto-patching, and bounty scope without a human running a checklist.
- Write the security risk memo for a live deal and present it to corporate development and security leadership.
Compensation
Annual Salary: $320,000 - $485,000 USD
Logistics
- Minimum education: Bachelor’s degree or equivalent combination of education, training, and/or experience.
- Location: Remote-Friendly (Travel-Required); listed locations include San Francisco, CA; Seattle, WA; and New York City, NY. Anthropic expects staff to be in one of its offices at least 25% of the time for many roles.
- Visa sponsorship: Anthropic states they do sponsor visas and retain an immigration lawyer to help when they make an offer.
How we're different
Anthropic works as a cohesive team on large-scale AI research efforts, values communication, and emphasizes impactful, collaborative research and engineering. The team often uses Claude and LLM-driven tooling as part of workflows.