Skip To Main Content
epam-logo-black.svgepam-logo-black.svg
backBack to Search

Senior AI Security Engineer

Remote in Poland
Security.Development
Looking for something else?

Find a vacancy that works for you. Send us your CV to receive a personalized offer.

Find me a job

We are seeking a Senior AI Security Engineer to secure software across the full development lifecycle. This role embeds security into design, code, build and release; operates application security tooling and pipelines; partners with engineering to drive remediation; and applies AI both to accelerate AppSec work and to secure AI- and LLM-powered applications.

Responsibilities
  • Embed security into the full software development lifecycle and drive shift-left and secure-by-design practices across engineering teams
  • Perform and facilitate threat modeling, architecture security reviews, and design reviews for applications, services, and APIs
  • Conduct secure code reviews (manual and AI-assisted) and advise developers on secure coding patterns and remediation
  • Implement, configure, tune, and operate application security tooling, including SAST, DAST, IAST, SCA, secrets scanning, and IaC scanning, integrated into CI/CD pipelines
  • Triage, validate, prioritize, and reduce false positives in security findings, and partner with development teams to track issues through to remediation
  • Define, implement, and maintain security gates and policies in CI/CD pipelines that balance risk reduction with developer velocity
  • Secure the software supply chain, including dependency and open-source risk management, SBOM generation, artifact integrity and signing, and build pipeline hardening
  • Support and coordinate application penetration testing and validate fixes for identified vulnerabilities
  • Drive secrets management, secure configuration, API security, container and image security, and microservice security practices
  • Establish and run a security champions program, and develop and deliver secure-coding training, guidelines, and reusable security patterns for developers
  • Define and maintain application security standards, baselines, and policy-as-code, and contribute to vulnerability management and risk-acceptance processes
  • Build, deploy, and maintain AI-assisted automations and agentic workflows that reduce manual effort across daily application security activities, such as: vulnerability triage, deduplication, prioritization, and false-positive reduction; automated and assisted code review with concrete remediation guidance and example fixes; threat modeling support and abuse-case and attack-path generation; finding enrichment, root-cause analysis, and remediation-PR drafting; compliance evidence collection; secure-coding documentation, query, and runbook automation
  • Build and integrate AI agents and LLM-backed automations into the SDLC and CI/CD pipelines, connecting models to scanners, code hosts, ticketing, and security tooling via function calling, REST, and webhooks
  • Develop, test, and maintain reusable prompts, structured-prompting patterns, and prompt templates for recurring AppSec tasks, and tune them for accuracy, signal quality, and safe behavior
  • Implement retrieval over codebases, security standards, and remediation guidance (for example RAG) so AI assistants answer from current, authoritative internal context rather than guesswork
  • Build evaluation, validation, and human-in-the-loop checkpoints into AI-assisted AppSec workflows, including output verification, guardrails, and approval gates before findings, fixes, or pipeline decisions are acted on
  • Implement security and privacy controls for AppSec AI usage, including least-privilege access for agents, source-code and secrets handling, prompt-injection resistance, and auditability of AI-driven actions
  • Design, implement, and operate security controls for AI- and LLM-powered application features, including input and output validation, prompt-injection and jailbreak defenses, tool- and function-call authorization, rate limiting, and model and data access governance, aligned to the OWASP Top 10 for LLM Applications
  • Define and enforce guardrails for secure adoption of AI in product engineering, covering prompt security, model and tool access control, output handling, data protection, auditability, and human-in-the-loop processes, and advise development teams on building AI features securely
Requirements
  • Bachelor's degree in Computer Science, Information Security, Engineering, or equivalent practical experience
  • Hands-on application security experience across the software development lifecycle
  • Strong understanding of common application vulnerability classes and mitigations, including the OWASP Top 10, and of secure coding principles
  • Practical experience with application security tooling, such as SAST, DAST, SCA, and secrets scanning, and integrating it into CI/CD
  • Working knowledge of at least one programming language (for example Python, Java, C#, JavaScript/TypeScript, or Go) sufficient to read code and assess vulnerabilities
  • Experience with threat modeling and secure design review methodologies
  • Understanding of DevOps/DevSecOps practices, CI/CD pipelines, and secure-by-design principles
  • Familiarity with cloud application security concepts across at least one major cloud platform such as Azure, AWS, or GCP
  • Experience participating in at least several production projects or engineering teams
  • Ability to work closely with developers, architects, QA engineers, DevOps, product, and security teams, and to influence without owning the codebase
  • Ability to follow, maintain, and improve defined security processes
  • Practical understanding of AI-assisted productivity and automation beyond basic chatbot usage, including at least some of the following: building or configuring AI agents; using AI to automate repetitive security or engineering tasks; integrating LLMs with tools, APIs, documents, or workflows; prompt engineering and structured prompting; creating AI-assisted runbooks, scripts, queries, or documentation; using AI tools securely with awareness of sensitive data handling and access control
  • Good communication skills and the ability to explain security risks, technical decisions, and remediation plans to both technical and non-technical stakeholders
Nice to have
  • Experience with application security platforms and tools such as Snyk, Checkmarx, Veracode, SonarQube, Semgrep, GitHub Advanced Security, Burp Suite, OWASP ZAP, or similar
  • Experience with software supply chain security, including SBOM, SLSA, Sigstore, and dependency and artifact integrity controls
  • Experience with Infrastructure as Code and policy-as-code security tools such as Terraform, Bicep, ARM templates, OPA, Checkov, or Trivy
  • Experience with container and Kubernetes security, including image scanning, registries, runtime protection, and network policies
  • Experience with API security, secrets management (for example HashiCorp Vault, Azure Key Vault), and microservice security patterns
  • Understanding of at least one compliance or security framework, such as ISO 27001, NIST, CIS Benchmarks, PCI DSS, HIPAA, SOC 2, or SOX
  • Experience integrating security findings with SIEM/SOAR, ticketing, and vulnerability management workflows
  • Experience with AI/LLM platforms or frameworks such as Azure OpenAI, Azure AI Foundry, Amazon Bedrock, Microsoft Copilot Studio, LangChain, or AutoGen
  • Understanding of AI and LLM application security risks, including prompt injection, insecure output handling, data leakage, excessive agency, insecure tool use, model governance, and AI supply chain risks (for example, awareness of the OWASP Top 10 for LLM Applications)
  • Security certifications such as: CSSLP: Certified Secure Software Lifecycle Professional; GWAPT / GWEB: GIAC Web Application Penetration Tester / Web Application Defender; OSCP / OSWE: Offensive Security certifications; CISSP, CISM, CSSLP, CCSP, or similar; AI-related certifications are a plus, for example: AI-900: Microsoft Azure AI Fundamentals; AI-102: Azure AI Engineer Associate