Who We Are Founded in 2012 by 3 expert hackers with no investment capital, Trail of Bits is the premier place for security experts to boldly advance security and address technology’s newest and most challenging risks. It has helped secure some of the world's most targeted organizations and devices. Our combination of novel research with practical solutions reduces the security risks that our clients face from emerging technologies. Our work helps drive the security industry and the public understanding of the technology underlying our world. Cybersecurity preparedness is a moving target. Companies like ours are the tip of the spear in the fight against attackers. Our research-based and custom-engineering approach ensures that our client’s capabilities are at the forefront of what’s available. For companies and technologies that live and die by their security, a proactive, tailored approach is required to keep one step ahead of attackers. Democratizing security information is essential. As part of our business, we provide ongoing informational support through blogs, whitepapers, newsletters, meetups, and open-source tools. The more the community understands security, the more they’ll understand why a company like ours is so unique and valuable. Role Trail of Bits seeks a Senior Security Engineer specializing in Application Security for Agentic AI systems, within our growing Software Assurance team. You will conduct comprehensive security assessments of large language model systems, examining software across the AI supply chain and application stack — such as LLM web applications, agentic coding tools, training data and inference pipelines, and guardrail mechanisms. Additionally, this role will be responsible for development, and operationalization of prompt injection techniques, for use in end-to-end application security reviews. You will identify and analyze novel attack vectors and vulnerabilities specific to AI and agentic environments, focusing on real-world failure modes, system integration issues, and unauthorized access vectors. This role allows you to apply application security experience and adversarial thinking to the latest agentic systems and buisness integrations. In addition to performing technical assessments, you will contribute to threat modeling, adoption risk frameworks for generative AI tooling, and delivering specialized training to clients on Agentic AI security concepts, including prompt injection, ML-specific attacks, and data pipeline threats. What You'll Achieve - Agentic AI Security Assessments: Conduct comprehensive application security assessments of agentic AI pipelines, tools, and frameworks for leading companies and labs. Examine vulnerabilities in model architectures, guardrails, and deployment infrastructure while developing mitigation strategies. - Prompt Injection Research & Development: Develop and share novel prompt injection techniques targeting agentic workflows, including indirect injection via tool outputs, multi-turn manipulation, and cross-agent exploitation. Produce actionable attack libraries and defensive countermeasures for client engagements. - Application Security Assessment: Conduct security assessments of client code bases using a combination of static analysis, dynamic testing, and manual code review, identifying vulnerabilities and developing mitigation strategies, with a focus on findings at the intersection of application security and Agentic AI security. - Threat Modeling: Conduct threat modeling and risk assessments to proactively identify potential risks for clients and develop mitigation strategies for future prevention, with particular attention to prompt injection attack surfaces in agentic orchestration layers. - Client Engagement: Work with leading industry teams to review system code and architecture, and help assure their products through system analysis and modeling. - AI Policy & Compliance Initiatives: Develop and contribute to AI regulatory frameworks, establishing assurance methods and auditing processes for mission-critical AI applications while ensuring alignment with emerging industry standards and safety requirements. What You'll Bring - AI Security Expertise: Demonstrated interest and experience in agentic AI security, with demonstrated ability to identify and mitigate AI-specific vulnerabilities across complex systems, including hands-on experience with prompt injection attacks and defenses. - Technical AI Knowledge: Deep understanding of AI/ML architectures, frameworks (PyTorch, Jax, LangChain, RAG systems, etc.), and MLOps practices, combined with robust security engineering expertise. - Application Security Skills: Track record of conducting technical security assessments of software, including software and system hardening, security policy analysis, and implementing effective security measures. - Prompt Injection Proficiency: Practical experience designing and executing prompt injection workflows against production LLM systems, agentic pipelines, and tool-use environments, including familiarity with emerging taxonomies and mitigation approaches. - Programming Proficiency: Strong knowledge of multiple programming languages such as Rust, Golang, Kotlin, Swift, Objective-C, JavaScript/TypeScript, Python, Ruby, C and/or C++ for both security analysis and tool development. - Hacker Mindset: A creative and adversarial mindset, with a passion for discovering novel attack vectors and understanding how systems work across many layers of abstraction. - Communication Skills: Ability to effectively communicate complex security concepts to diverse stakeholders and deliver clear, actionable recommendations. The base salary for this full-time position ranges from $100,000 to $200,000 excluding benefits and potential bonuses. Various factors influence our salary ranges, including the specific role, level of seniority, geographic location, and the nature of the employment contract. An individual's specific work location, unique skills, experience, and relevant educational background will determine the final offer within this range. The presented salary range encompasses the starting salaries for all U.S. locations. For a precise salary estimate tailored to your preferred location, please discuss it with your recruiter during the hiring process. Trail of Bits, Inc. participates in E-Verify, the US federal electronic employment eligibility verification program. Learn more.  Only applications completed via our Careers page will be considered for further review. When you apply, you'll be added to our newsletter so you can stay updated on company news and opportunities. You can opt out anytime.

• Responsible for executing comprehensive information security risk assessments of third-party vendors engaged by PPFA, Affiliate, and Ancillary organizations. • Evaluate vendors across multiple risk tiers to ensure they meet information security policies, HIPAA and PCI DSS requirements, and applicable regulatory standards. • Thoughtfully analyze vendor-provided documentation, identify potential risks, collaborate with key parties, and produce detailed and accurate assessment reports. • Manage the end-to-end TPRM process for assigned vendors including initiating communications, reviewing security documentation, identifying risks, and producing assessment reports. • Engage with internal and external partners to facilitate information gathering, clarify responses, and resolve risks. • Collaborate with internal stakeholders to ensure vendor assessments align with contract and compliance requirements.

• Build and maintain 3–5x pipeline coverage through outbound prospecting, account targeting, and partner engagement • Proactively identify and engage net-new agencies and investigative units • Own the full sales cycle from prospecting through discovery, demo, proposal, and close • Consistently meet or exceed quarterly and annual quota • Drive competitive takeout strategies against incumbent solutions such as Cellebrite and Magnet • Penetrate state, local, and law enforcement agencies within assigned territory • Leverage contract vehicles, funding cycles, and procurement strategies to accelerate deals • Build relationships across technical users, command staff, and procurement stakeholders • Lead high-impact conversations with investigators and leadership • Deliver compelling demos and clearly articulate operational and investigative value • Align Oxygen solutions to real-world investigative workflows and pain points • Work with channel partners including Carahsoft, resellers, and integrators to drive deal velocity • Collaborate with Sales Engineering and leadership to win complex opportunities • Provide real-time market feedback on competitors and customer requirements

• Own the cybersecurity expertise for Grid Automation within a given territory / region • Assist the Sales Operations teams in responding to demo requests, RFPs, and other Bid/Tender requests • Stay connected with the market dynamics, engage with GA customers to understand their cybersecurity needs / pain-points, and translate them into new cybersecurity sales opportunities • Present the Grid Automation cybersecurity offerings to customers in a variety of locations – including trade shows and events • Develop sophisticated cybersecurity designs for customer environments • Understand competitors’ offerings, industry trends, customers’ behavior • Be available to be “hands-on” at customer sites to assist in the design, configuration, and installation of a variety of cybersecurity offerings • Promote the GA cybersecurity offerings with utility and industrial customers and the GA sales organization • Drive productive interactions with GA region teams, other GA Product Managers, R&D and product development, Technical Application Engineering, and Commercial teams • Develop, coach, and mentor the regional cybersecurity delivery teams (customer engineers) to strengthen their overall technical and business capabilities • Develop and conduct training on a variety of cybersecurity topics for the Regions and GA staff as needed