Application Security Engineer Job Description:

About Retool:

• Retool builds an enterprise AppGen platform that transforms natural language into production-ready code, integrates with business data, and meets high security and governance standards.
• The platform enables analysts, operators, and domain experts to create production-grade software safely.
• Over 100 million hours of work automated by developers and domain experts using Retool.

Role Purpose:

• Handle security for a platform where customers write and execute arbitrary code.
• Address a large, nuanced security surface with growing scope and ambition.
• Combine deep security fundamentals with engineering execution; actively work in code to identify systemic patterns and build scalable tooling and solutions.
• Understand product deeply: what customers build, where code executes, how data flows.
• Focus on the intersection of platform capability and customer trust.
• Explore AI-accelerated development impacts on application security including vulnerability detection, dependency management, and tooling.

Responsibilities:

• Identify systemic security gaps in codebase and workflows; design and ship durable solutions.
• Build security tooling, automation, custom linters, static analysis rules, automated checks to catch vulnerabilities early.
• Conduct in-depth code reviews and security design reviews with technical depth.
• Drive threat modeling and security assessments for new features; translate requirements into practical guidance for developers.
• Contribute to evolving security approaches as AI-assisted development scales internally.
• Triage, track, and drive remediation of vulnerabilities; contribute to penetration testing and bug bounty programs.

Required Skills:

• 5+ years hands-on application security and engineering experience (building solutions, not just auditing).
• Ability to operate independently with good judgment in fast-moving environments.
• Effective communication that earns trust; support business goals through security impact.
• Experience shipping security tooling or automation benefiting multiple teams.
• Strong engineering skills: read, reason about, review code deeply (not checklist-based).
• Proficiency in TypeScript (platform language) and Python (security tooling).
• Strong AppSec fundamentals: threat modeling, secure code review, understanding common vulnerabilities with durable fixes.
• Pragmatic approach to AI tooling: use where it sharpens work; skeptical where it doesn’t; consider developer-side AI risk scaling.

Nice to Have:

• Offensive security experience (bug bounty, CTFs, red team, pentesting).
• Experience building/contributing to SAST pipelines or automated security testing infrastructure.
• Startup or high-growth scaleup experience with evolving security programs.

Compensation & Benefits:

• US base salary range: $231,900 – $318,250 per year (varies by level/experience/location).
• Additional compensation may include equity/commission depending on role.
• Comprehensive benefits including medical, dental, vision, 401(k).
• Hybrid work location available.

Location: San Francisco, United States Team: Engineering