Software Engineer, Security

About the Role

We’re looking for a software engineer focused on making our products secure by default while supporting fast and ambitious product iteration. You’ll embed with product and research teams to bake security into design and development and to build tooling and automation that keep systems safe at scale.

Note: This is an "evergreen role" that we keep open on an on-going basis to express interest. We receive many applications, and there may not always be an immediate role that aligns perfectly with your experience and skills. Still, we encourage you to apply. We continuously review applications and reach out to applicants as new opportunities open. You are welcome to reapply if you get more experience, but please avoid applying more than once every 6 months. You may also find that we put up postings for singular roles for separate, project or team specific needs. In those cases, you're welcome to apply directly in addition to an evergreen role.

What You’ll Do

• Partner with product and research teams to embed security into the development lifecycle: threat modeling, design reviews, and secure defaults for new features.
• Design and implement security controls across our product stack (authentication, authorization, session management, input validation, etc.).
• Build and maintain security tooling and automation for engineers: secure frameworks and templates, CI/CD checks, dependency management, and vulnerability detection.
• Collaborate with researchers to identify and mitigate AI-specific product risks, such as model abuse, prompt injection, data leakage, or misuse of capabilities.
• Improve observability and detection for security-relevant events: access anomalies, abuse patterns, and suspicious behavior in production.

Skills and Qualifications

Minimum qualifications:

• Bachelor’s degree or equivalent experience in computer science, engineering, or similar.
• Proficiency in at least one backend language (we use Python or Rust).
• Strong generalist software engineering background and ability to review production code for security risks.
• Hands-on experience securing web apps and APIs especially auth flows, access control, secrets management, input validation, and data protection.
• Familiarity with common vulnerability classes and prevention frameworks; experience hardening prototypes into production.
• Comfort with modern cloud infrastructure and understanding how application concerns intersect with infrastructure.
• Comfort operating across the stack and owning projects end-to-end.
• Thrive in a highly collaborative environment involving many, different cross-functional partners and subject matter experts.
• A bias for action with a mindset to take initiative to work across different stacks and different teams where you spot the opportunity to make sure something ships.

Preferred qualifications — we encourage you to apply if you meet some but not all of these:

• Experience securing AI‑powered products or working with ML/LLM APIs and their unique threat models.
• Background in human-computer interaction, especially where security or trust plays a central role in the user experience.
• Strong skills in rapid prototyping and iteration, with a habit of turning ad-hoc fixes into reusable patterns and tools.
• Open‑source security work, bug bounty write‑ups, or published tooling.

Logistics

• Location: This role is based in San Francisco, California. 
• Compensation: Depending on background, skills and experience, the expected annual salary range for this position is $350,000 - $475,000 USD.
• Visa sponsorship: We sponsor visas. While we can't guarantee success for every candidate or role, if you're the right fit, we're committed to working through the visa process together.
• Benefits: Thinking Machines offers generous health, dental, and vision benefits, unlimited PTO, paid parental leave, and relocation support as needed.