Skip to content

Product Security Engineer

CollectiveSan Francisco, CA, USJuly 18, 2026
Hybrid
Full-time
Application Security
Mid · 4+ yrs

About Collective:

Collective is on a mission to redefine the way businesses-of-one work. Our technology and team of trusted advisors help members achieve financial independence by taking care of everything from business incorporation to accounting, bookkeeping, tax services, and access to a thriving community, all in one integrated platform. We believe in empowering self-employed people to enjoy the same tax savings that big companies get, so they can focus on their passion, not paperwork.

Featured in Forbes, Business Insider, Yahoo, Bloomberg, Financial Times, TechCrunch, and more. We are backed by General Catalyst, Sound Ventures (Ashton Kutcher and Guy Oseary), QED Investors, Google’s Gradient Ventures, Expa, and other investors who have financed iconic companies like YouTube, Substack, Twitch, Box, Hims, Instacart, and Lyft.

About the role:

We're hiring a Product Security Engineer to build Collective's application security program — with AI agents at the center of it from day one. This is not a legacy appsec role where you triage a scanner queue by hand: you'll design and operate an agentic appsec pipeline where automated security testing across the stack — static analysis, dynamic testing, and dependency scanning — combines with AI-driven triage and automated security review of code changes to give engineering teams fast, high-signal feedback. Alongside the program, you'll drive vulnerability remediation across the platform — from finding to verified fix — and make targeted code changes that eliminate whole classes of vulnerabilities rather than patching them one at a time. You'll work closely with product engineers on a platform that handles our members' financial and tax data, where the cost of a missed vulnerability is real.

What you'll do: 

  • Build and operate an agentic application security program: the full testing stack — SAST, DAST, and software composition analysis (SCA) — integrated into CI/CD, LLM-based triage that separates real findings from noise, and automated security review of pull requests — so security feedback arrives in minutes, not review cycles.

  • Drive vulnerability remediation end to end: triage and rate findings from scanners, penetration tests, and researchers; route fixes to owning teams; track them to closure against SLAs; and verify that fixes actually close the hole.

  • Eliminate vulnerability classes at the root: ship secure defaults, paved-path libraries, and framework-level fixes so the easy way to write a feature is also the safe way — targeted, well-scoped code changes in the product codebase.

  • Lead threat modeling and security review for new features and platform changes, engaging with product engineers early in design rather than at the end — and automate the practice over time, so threat models are living documents that agents draft and update as the system changes rather than point-in-time artifacts.

  • Tune and evolve the program's signal quality: new rules, better prompts, fewer false positives — treating the agentic pipeline itself as a product you iterate on.

  • Stay current on the vulnerability landscape relevant to a fintech platform handling sensitive financial and tax data, and translate what matters into concrete program changes.

What you'll bring:

  • 4+ years of security engineering experience with real depth in application security: you know the major vulnerability classes cold — how they're introduced, exploited, and durably fixed — and you've improved the security posture of a production platform, not just reported on it.

  • Hands-on experience with SAST, DAST, and SCA tooling and CI/CD integration — Semgrep, CodeQL, Bandit, OWASP ZAP, Burp Suite, or equivalent — including the judgment to know which findings matter.

  • Genuine enthusiasm for building with LLMs and AI agents: you've used them to automate security work (or are visibly on your way there), you can write and evaluate the prompts and workflows that make agentic tooling reliable, and you treat AI as leverage rather than a threat to the craft.

  • Enough software engineering skill to make confident, well-scoped changes in a production codebase — reading unfamiliar code, shipping a paved-path library, fixing a vulnerability pattern across a service (we run Python/Django on AWS). Building large systems from scratch is not the center of this role; landing precise changes in someone else's code is.

  • Experience driving remediation through teams you don't manage: clear writeups, severity calls you can defend, and the persistence to get fixes over the line without burning relationships.

  • Product empathy: security feedback that engineers act on is feedback shaped for how they work — you optimize for fixed vulnerabilities, not filed tickets.

What we offer:

  • Hybrid Work Model: Based in San Francisco with a balance of in-office and remote flexibility.

  • Fresh Lunch: Provided on in-office days.

  • Commuter Support: $150 monthly reimbursement for transit expenses.

  • Health & Wellness: $200 quarterly reimbursement to support your well-being.

  • Time Off: Flexible PTO plus 14 company holidays.

  • Comprehensive Coverage: 100% medical, dental, and vision for employees; 75% coverage for dependents.

  • Parental Leave: 16 weeks fully paid.

  • Retirement & Ownership: 401k plan plus an equity package.

  • Team Connection: Quarterly virtual events and an annual in-person summit.

Job Details

Salary

$170,000 – $200,000/yr

Experience

Mid · 4+ yrs

Tools & Tech

AWS
Burp Suite
CodeQL
Django
OWASP ZAP
Python
Semgrep