Security Engineer, Application Security

About Trail of Bits: Trail of Bits (trailofbits.com) is an elite, globally recognized cybersecurity innovator, vulnerability research architect, and software defense provider operating on an absolute mission to protect, automate, and systematically harden high-stakes digital infrastructures. Founded in 2012 by expert security specialists with zero outside capital investment, our high-impact engineering culture combines cutting-edge offensive research with practical testing tooling to protect the world most targeted networks, cryptographic protocols, and embedded devices. Trail of Bits operates under a strict transparency philosophy, sharing deep internal security intelligence with the public through comprehensive research whitepapers, open-source auditing utilities, and global developer tool contributions. Trail of Bits equips technical security experts with an uncompromised software canvas to eliminate memory safety corruption bugs, research low-level platform internals, and deploy category-defining testing automations globally.

Position Overview

We are seeking a highly analytical, connection-obsessed, and systems-minded Security Engineer 1 to join our fast-growing Software Assurance group under an uncompromised full-time individual remote engagement framework based anywhere inside the United States. Operating at the direct intersection of production-grade codebase debugging, custom automated engineering, and offensive vulnerability discovery, you will step up to claim true individual operational and strategic accountability over evaluating complex client application stacks. Shifting completely away from routine passive spreadsheet template logging, basic non-technical policy checkbox checking, minor asset tracking, or slow coordinating loops, you will run an active reverse engineering, source-code auditing, and architectural boundary analysis laboratory—partnering face-to-face with senior assurance leads, open-source engineers, and external software development groups. This position requires an early-career technical specialist or a transitioning software developer with 0-2 years of closing depth who maps out system risks fluidly natively using Cybersecurity methodologies, evaluates complex backend topologies cleanly natively leveraging memory-corruption mitigation parameters, and commands rigorous software threat-modeling cycles confidently under high-stakes client engagement environments.

Key Responsibilities

• Client Security Assessment Ownership: Take absolute structural ownership over identifying vulnerabilities, tracing deep architectural failures, and driving security assessments across specific sub-modules within larger scale enterprise software ecosystems.
• Offensive Vulnerability Analysis: Review, audit, and validate critical logical and structural vulnerabilities inside client application codebases, mapping out exploit vectors and compiling functional proof-of-concept components cleanly natively utilizing Cybersecurity parameters.
• Custom Testing Automation Engineering: Design, develop, and deploy specialized security testing frameworks, static analyzers, and fuzzing automation scripts to accelerate deep bug detection on client codebases.
• Architecture Review and Threat Modeling: Conduct advanced code threat modeling and surface evaluations to trace application data flows, establish secure multi-tenant privilege boundaries, and propose definitive mitigation patches.
• Clear Engineering Communication: Translate complex exploitation primitives and high-severity findings into scannable, actionable recommendations, taking ownership of technical relationships with engineering stakeholders.
• Open Security Research Innovation: Contribute to foundational internal and public research streams, drafting detailed documentation and developing open-source auditing libraries to stay at the vanguard of modern application safety.

Required Skills & Qualifications

• Proven history demonstrating practical vulnerability research talent, backed by a verifiable track record of identifying real bugs (e.g., public CVE registries, bug bounty disclosures, or competitive CTF team placements).
• Expert-tier capability reading complex source arrays, tracing runtime memory changes, and analyzing raw execution logic fluently natively utilizing Cybersecurity principles.
• Hands-on system programming fluency writing, debugging, or analyzing software across at least two major programming languages (such as Rust, Go, C, C++, Python, or TypeScript).
• Solid understanding of lower-level memory safety mechanics, including clear conceptual literacy regarding buffer overflows, use-after-free anomalies, ASLR, DEP, and Control Flow Integrity (CFI).
• Strong operating systems familiarity, understanding process-to-process communication configurations, privilege separation modules, and kernel-space interaction vectors.
• Highly autonomous, self-sufficient problem-solving habits enabling you to execute granular codebase research steps and reach sound conclusions without constant managerial hand-holding.
• Location Context: Position open to qualified application security professionals located and resident permanently within the United States to execute a highly autonomous, work-from-home remote track.

Preferred Strategic Indicators (Nice to Have)

• Active, current participation or historic ranking achievements inside elite international Capture the Flag (CTF) security hacking teams.
• Prior history contributing to public open-source software security repositories, building security libraries, or delivering technical conference presentations.
• Direct binary analysis or vulnerability assessment history covering mobile platform internals (iOS, Android, or macOS internals).
• Familiarity evaluating enterprise cloud platform security parameters across AWS, Azure, or GCP infrastructure architecture landscapes.

What We Offer

• Vetted, World-Class Security Engineering Blueprint: A highly competitive, full-time baseline corporate salary package calibrated precisely against your technical depth, structured transparently between $100,000 and $160,000 USD per year, supplemented by annual performance-based bonuses.
• The spectacular professional architecture to claim absolute strategic ownership over high-stakes assessment modules for elite global tech clients.
• Profound work-from-home remote parameters offering a 100% remote virtual environment, complete personal schedule execution freedom, and $1,000 home-office hardware stipends.
• Comprehensive health wellness layers, including 100% company-covered medical, dental, vision, life, and disability insurance structures alongside 4 months of fully paid parental leave.
• Robust wealth protection models, including an established company 401(k) retirement plan offering a 5% organizational base salary match.
• Continuous technical career enrichment through a dedicated $750 yearly learning allocation and completely sponsored global team-building summits including travel.