Security Engineer 1, Application Security

About the role

Who We Are Founded in 2012 by 3 expert hackers with no investment capital, Trail of Bits is the premier place for security experts to boldly advance security and address technology's newest and most challenging risks. It has helped secure some of the world's most targeted organizations and devices. Our combination of novel research with practical solutions reduces the security risks that our clients face from emerging technologies. Our work helps drive the security industry and the public understanding of the technology underlying our world. Cybersecurity preparedness is a moving target. Companies like ours are the tip of the spear in the fight against attackers. Our research-based and custom-engineering approach ensures that our client's capabilities are at the forefront of what's available. For companies and technologies that live and die by their security, a proactive, tailored approach is required to keep one step ahead of attackers. Democratizing security information is essential. As part of our business, we provide ongoing informational support through blogs, whitepapers, newsletters, meetups, and open-source tools. The more the community understands security, the more they'll understand why a company like ours is so unique and valuable. Role Trail of Bits seeks a Security Engineer 1 for our growing Software Assurance practice. You'll contribute to security assessments of client software, partnering with senior engineers, identifying vulnerabilities across the application and system level. You'll own pieces of client engagements, drive your own vulnerability analysis, and develop tools alongside the team. This role bridges vulnerability research and applied security, where you'll find real issues in real code and help clients understand and fix them. Your work will be hands-on and autonomous: analyzing complex code, building custom tooling, conducting threat modeling, and owning your findings through to client delivery. What You'll Achieve Security Assessment Ownership - Lead security assessments for specific components, modules, or systems within larger client engagements. Identify vulnerabilities, trace root causes, and own your analysis from discovery through client delivery. Vulnerability Discovery and Analysis - Find and validate real vulnerabilities in application code and systems. Explain exploitation paths, assess impact, and develop proof-of-concept code when needed. You'll do the work, not just assist. Custom Security Tooling - Design and build security testing tools and automation for vulnerability detection. Own tool development from concept through deployment on client projects. Architecture and Threat Modeling - Conduct threat modeling and architecture reviews of software systems. Identify attack surfaces, data flows, and security boundaries. Propose concrete mitigations. Client Communication - Translate technical findings into clear, actionable recommendations for engineering teams. Own client relationships for your component of the work. Research and Innovation - Contribute to security research initiatives. Build tools, document findings, and stay on the cutting edge of vulnerability research and application security. What You'll Bring Demonstrable vulnerability research capability - Proven ability to find and validate real vulnerabilities. This means: CTF wins, published CVEs, bug bounty finds, or security research that shows you can actually discover exploitable issues. Strong code analysis skills - You can read complex code, trace execution, identify logic flaws, and explain why something is exploitable. You understand the difference between a tool flagging something and it actually being a vulnerability. Hands-on coding proficiency - Fluent in at least two of: Rust, Go, C, C++, Python, JavaScript, TypeScript, or similar. You write code for security analysis and tool development, not just consume it. Memory safety understanding - You understand memory corruption vulnerabilities (buffer overflows, use-after-free, etc.) and modern mitigations (ASLR, DEP, CFI). You can reason about exploit primitives. Systems knowledge - Deep familiarity with operating systems, IPC, privilege boundaries, and how applications interact with system internals. This isn't theoretical, you've worked with this stuff. Autonomous problem-solving - You drive your own work. You own pieces of engagements. You ask good questions, debug issues, and reach conclusions without hand-holding. Clear technical communication - You can explain complex security findings to engineers. Your reports get read because they're clear and actionable. You can defend your analysis. Nice to Have Active CTF participation - Current or recent CTF team participation, CTF wins, or rankings. Shows you can solve hard security problems under pressure. Published vulnerability research - CVEs, bug bounties, responsible disclosures, or security writeups. Shows you've found real issues and validated them. Open source security contributions - Tools,

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at Trail of Bits? Share your experience