Senior Security Engineer - Application & Product Security

Job Description

Job Description

CaptivateIQ is transforming the way companies plan, manage, and optimize sales performance. We started by revolutionizing incentive compensation management, and now we're expanding our platform to solve broader sales planning challenges. Recognized by industry analysts like Forrester and G2 and backed by top-tier investors, including Sequoia, ICONIQ and Accel, we empower high-growth companies like Netflix, Figma and Stripe with the flexibility and insights needed to drive revenue performance.

Join a talented, fast-growing team committed to solving some of the most complex and impactful problems in sales performance management.

About the Role

Security is a core value at CaptivateIQ. As we scale and expand our suite of services, embedding security into every phase of product development is critical to building trust in everything we deliver.

As a Senior Security Engineer focused on Application & Product Security , you will own our AppSec strategy - driving threat modeling, secure architecture design, and offensive security testing . You will lead manual and automated penetration testing, manage AppSec tooling (SAST, DAST, SCA), and build developer enablement programs. You’ll also be responsible for vulnerability management, incident response for application-layer events, and ensuring compliance alignment for SOC 2, ISO 27001, and privacy requirements.

This role blends offensive and defensive expertise with strategic influence, giving you the autonomy to shape a scalable, modern AppSec program.

Job Location

Remote

Raleigh, NC

Nashville, TN

Toronto, Canada

Responsibilities

• Threat Modeling & Architecture Reviews Mature and scale a modern threat modeling program across products and services. Enable secure by design architectures in collaboration with Engineering teams.
• Offensive Security Testing Conduct penetration tests (white-box and black-box) for web applications and APIs. Perform dynamic (DAST), static (SAST), and software composition (SCA) analysis. Simulate adversary attack scenarios to validate controls and identify gaps.
• Secure SDLC Integration Embed security into every stage of development; implement automated security tooling in CI / CD pipelines.
• Vulnerability Management Triage and prioritize application-layer vulnerabilities and guide engineering teams through remediation.
• Developer Enablemen t Deliver secure development and coding training; create resources to reduce recurring vulnerabilities.
• Bug Bounty Management Oversee Bug Bounty program, validate findings, and ensure timely resolution.
• Incident Response Leadership Lead investigations for application-layer security incidents and conduct post-incident analysis.
• Compliance Enablement Support audits, technical evidence collection, and control design for SOC 2, ISO 27001, and privacy-by-design requirements.
• Customer Trust Contribute to customer security assessments, penetration test reports, and security documentation.

Requirements

Nice to have

Benefits

Notice to Prospective Candidates

The base range represents the minimum and maximum for this position across North America. For candidates in Raleigh , the range is $170,980–$197,760; for Toronto, and Nashville locations, the range is $154,500–$177,160. The compensation offered for this position will depend on numerous factors, including individual proficiency, anticipated performance, and the location of the selected candidate. Our OTE is just one component of CaptivateIQ's competitive total rewards package.

CaptivateIQ participates in E-Verify, web-based system that allows enrolled employers to confirm the eligibility of their employees to work in the United States

We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.