Application Security Engineer

Team

Engineering

Location

San Francisco, United States ABOUT RETOOL Nearly every company in the world runs on custom software for critical operations like tracking performance metrics, handling customer support workflows, building admin dashboards, and countless other processes you might not have even thought of. But most companies don't have adequate resources to properly invest in these tools, leading to a lot of old and clunky internal software or, even worse, users still stuck in manual and spreadsheet flows. At Retool, we’re building the first enterprise AppGen platform: software that transforms natural language into production-ready code, integrates directly with business data, and meets the highest standards of security and governance. AI is redefining what it means to build software—and who gets to build it. The definition of “developer” now includes analysts, operators, and domain experts creating solutions directly. As the pool of builders widens, so does the complexity of what they need to build. The opportunity is enormous, but so is the challenge of enabling this larger community to build production-grade software safely. That means AI that understands real business data, enforces enterprise policies automatically, and empowers teams to create once and reuse everywhere with shared, trusted components. Over 100 million hours of work has been automated by developers and domain experts using our platform... WHY WE’RE LOOKING FOR YOU Retool handles our customers’ most sensitive data and provides a platform where they write and execute arbitrary code. The security surface that comes with that is large... You’ll be in the code... building tooling... working with engineering teams... AI-accelerated development impact on application security... experiments including AI vulnerability detection/fixing... automating dependency management... rethinking security teams' capabilities... IN THIS ROLE YOU WILL:

• Identify systemic security gaps in codebase/workflows; design durable solutions; drive solutions not just surface problems
• Build security tooling/automation/code-level controls (custom linters/static analysis/automated checks)
• Conduct in-depth code/security design reviews engaging architectural tradeoffs
• Drive threat modeling/security assessments; translate requirements into practical guidance
• Contribute evolving approach to security as AI-assisted development scales
• Triage/track/remediate vulnerabilities; contribute penetration testing/bug bounty programs

SKILLS & QUALIFICATIONS:

• Programming Languages: TypeScript (platform built in), Python (security tooling)
• Security Fundamentals: threat modeling; secure code review; common vulnerability classes understanding/durable mitigation
• Security Tooling: custom linters; static analysis rules/tools; automated vulnerability detection/fixing tools; SAST pipelines (nice to have)
• Offensive Security: bug bounty; CTF participation; red team/pentesting experience (nice to have)
• Methodologies: systemic problem identification/durable solution design; architectural tradeoff analysis; pragmatic AI tooling use; prioritization balancing speed vs correctness/escalation in fast environments
• Tools: custom linters; static analysis tools; automated vulnerability detection/fixing tools; penetration testing tools; bug bounty program management
• Soft Skills: independent judgment/prioritization in fast-paced environment; trust-building communication with engineers; collaboration with engineering teams
• Domain Expertise: enterprise AppGen platform security; AI-assisted development impact on application security; startup/high-growth scaleup environment experience (nice to have)
• Experience Requirements: 5+ years hands-on application security/engineering experience (not mainly consulting/audit/compliance)