• Lead and manage the GRC and Security Engineering teams, including strategy, objectives, staffing, coaching, and performance management. • Own governance, risk, and compliance programs. Maintain ISO 27001 and related controls. Drive audit readiness for HIPAA and other frameworks. Coordinate policy lifecycle management and control testing. • Run vendor assessment and qualification program. Oversee third party risk management, due diligence, contractual security requirements, and continuous monitoring. • Provide AI related security assessments and guidance. Establish acceptable use guardrails for AI, assess model and data risks, and advise on controls for AI enabled solutions. • Oversee security architecture for cloud environments and enterprise platforms. Partner with engineering on secure design for AWS, Azure, identity, network, and data protection. • Direct security engineering operations. Manage EDR and threat detection with CrowdStrike, SIEM operations, CSPM posture management, vulnerability management, and SOAR automation. • Lead incident response readiness and execution. Run tabletop exercises, coordinate investigations, and deliver root cause and lessons learned. • Own and manage security budgets, multiyear planning, vendor contracts, and cost optimization while meeting control objectives. • Report program status and risk posture to executives and the board. Define and track KPIs and KRIs. Communicate clearly with technical and non technical stakeholders. • Establish and enforce secure software development practices and SDLC controls with engineering leadership. • Maintain a current security roadmap and maturity plan aligned to business priorities. • Oversee metrics, dashboards, and reporting for program performance and risk reduction. • Coordinate with Legal, Privacy, and Compliance on regulatory obligations and customer security assessments. • Champion security awareness training and culture, sponsor targeted training for engineering and high risk roles. • Evaluate, select, and manage strategic security vendors and platforms, drive successful implementations and integrations. • Represent security in customer meetings and due diligence, provide credible technical and compliance answers.

• Serve as the primary subject matter expert for Palo Alto Networks technologies (NGFWs, Cloud NGFW, Panorama), Web Application Firewall, Content Delivery Network, API Security, IDS/IPS, and DDoS prevention • Own onboarding, policy tuning, and lifecycle management for WAF and CDN platforms; lead firewall ruleset optimization, IDS/IPS tuning, and DDoS protection configuration • Partner with internal teams to drive the global rollout, tuning, and operational management of URL filtering and TLS decryption across the network estate • Lead API security efforts — ensuring API traffic routes through security tooling, identifying vulnerabilities, and working with application teams on fixes • Lead troubleshooting of complex, multi-layer global network and application issues — from packet captures on inter-continental BGP topologies to WAF false-positive triage • Partner with business and application teams to produce clear, actionable security documentation, change proposals, and executive-ready findings • Analyze existing network security architectures, processes, and procedures to identify gaps and drive meaningful improvements • Configure and report on defensive measures against advanced threat actor tactics; maintain current awareness of the evolving threat landscape and the effectiveness of our defenses against them • Communicate complex technical problems and solutions clearly to both global engineering teams and C-suite stakeholders • Champion the broader Security team’s initiatives, not just Network Security Engineering • Participate in the maintenance and tuning of all network security technologies including WAFs, CDNs, VPNs, and application-aware firewalls • Leverage and contribute to automation pipelines for global firewall rule deployment and policy management across the network estate • Utilize security tooling telemetry and data collection automations to produce actionable reporting and metrics for internal teams and executive stakeholders

Role Description The Senior Consultant, Application Security is a senior technical practitioner in IOActive's Application Security practice, with secure code review as the central specialty. The role centers on deep manual code audit work across web and systems languages, paired with application penetration testing, threat modeling, and Secure Development Lifecycle (SDLC) advisory engagements. - Code review engagements span the full landscape: - Source code reviews on production codebases for enterprise web applications, mobile backends, embedded systems, and cryptographic implementations - Application penetration testing against web, API, and mobile targets - Threat modeling for new product designs - SDLC advisory work helping clients integrate security into their development processes - The Senior Consultant brings particular depth in code review and broad competence across the adjacent work. Qualifications - 5+ years in offensive security services, with at least 2–3 years focused on application security and source code review - Hands-on engagement delivery across multiple AppSec disciplines — code review, application penetration testing, threat modeling, or SDLC consulting - Deep code review expertise in at least two of: - JavaScript / TypeScript (Node.js, modern frontends) - Python (Django, Flask, FastAPI) - Java (Spring, J2EE) - C# / .NET (ASP.NET, Core) - C / C++, Rust, GoLang - Working knowledge of common framework patterns, ORM behavior, authentication and authorization libraries, cryptographic libraries, and the security pitfalls particular to each - Familiarity with vulnerability classes - Nice to have - Familiarity with relevant standards and frameworks: OWASP ASVS, NIST SSDF, BSIMM, SAMM Requirements - Strong technical credibility and the comfort to operate as the senior voice on engagements - Excellent written communication — producing actionable reports for developers - Strong verbal communication, capable of presenting complex concepts to diverse audiences - Comfort moving between languages and stacks - Collaborative mindset — close coordination with delivery teams and client developers - Genuine curiosity about how systems work, and patience for reading code carefully Benefits - A chance to work with an industry leader in cyber security - Access to world-class technical teams and research - A high-energy, collaborative team that values innovation - Flexibility—work remotely or from the office as needed - Opportunities for travel - Competitive compensation and performance-based incentives - US base salary range $75,000 - $175,000, depending on experience level, background and location.

• Design, develop, and implement automations and workflows to improve security processes within security-oriented platforms and other IT platforms. • Build and optimize integrations between security tools/platforms. • Develop dashboards, reports, and technical documentation for stakeholders to track security operations deliverables, trends, and progress on security posture. • Support incident response and other security operations tasks through automation and orchestration. • Contribute to continuous improvement initiatives by applying DevOps and agile principles to security engineering tasks. • Collaborate with global teams to ensure alignment on security engineering, standards, and best practices.