Senior Application Security Engineer

Serving the People Who Serve the People

Granicus is driven by the excitement of building, implementing, and maintaining technology that is transforming the Govtech industry by bringing governments and its constituents together. We are on a mission to support our customers with meeting the needs of their communities and implementing our technology in ways that are equitable and inclusive. Granicus has consistently appeared on the GovTech 100 list over the past 5 years and has been recognized as the best companies to work on BuiltIn.

Over the last 25 years, we have served 5,500 federal, state, and local government agencies and more than 300 million citizen subscribers power an unmatched Subscriber Network that use our digital solutions to make the world a better place. With comprehensive cloud-based solutions for communications, government website design, meeting and agenda management software, records management, and digital services, Granicus empowers stronger relationships between government and residents across the U.S., U.K., Australia, New Zealand, and Canada. By simplifying interactions with residents, while disseminating critical information, Granicus brings governments closer to the people they serve—driving meaningful change for communities around the globe.

Want to know more? See more of what we do here.

As a Senior Application Security Engineer, you will be responsible for identifying and mitigating security vulnerabilities across software applications and AI-enabled features through security tooling, secure code reviews, penetration testing, and security assessments. You will work closely with development teams to ensure secure coding practices are integrated throughout the software development lifecycle (SDLC), preventing security risks before they emerge.

This role includes hands-on testing of LLM-enabled applications, including prompt injection, indirect prompt injection, data leakage risks in RAG pipelines, and tool/agent misuse scenarios. You will help define and validate guardrails and monitoring to ensure AI features are deployed safely and responsibly.

• Perform Security Assessments: Conduct regular security assessments, secure code reviews, threat modeling, and penetration testing (web, API, and cloud-native services) to identify vulnerabilities and provide clear remediation guidance.
• AI / LLM Security Testing: Plan and execute security testing for LLM-enabled applications (chat, copilots, RAG, and agentic workflows), including prompt injection/jailbreak testing and indirect prompt injection via untrusted content.
• Data Protection & Leakage Testing: Assess sensitive data exposure risks (system prompt leakage, retrieval leakage, secrets exposure, PII disclosure) and validate compensating controls such as redaction, access controls, and logging.
• Tool/Agent Abuse Testing: Evaluate risks in tool/function calling and agent integrations (over-privileged tools, authorization gaps, unsafe actions, SSRF-style tool access) and recommend mitigations.
• Develop and Implement Security Tools: Design, develop, and implement security tools and automation (CI/CD checks, security tests, reusable libraries) to prevent and detect vulnerabilities at scale.
• Collaborate with Development Teams: Partner with engineering teams to embed security best practices across the SDLC, establish secure coding guidelines, and deliver pragmatic security enablement.
• Vulnerability Management: Track, analyze, and manage vulnerabilities end-to-end (triage, prioritization, remediation support, and validation) and drive root-cause fixes to reduce recurrence.
• Incident Response Support: Assist with investigation and response for application security incidents, ensuring timely resolution, documentation, and lessons learned.
• Stay Current on Security Trends: Maintain awareness of emerging application and AI security threats, and continuously improve testing methods, controls, and developer guidance.

• Bachelor’s degree in Computer Science, Information Security, or related field (or equivalent experience).
• 6–10+ years of experience in application security, product security, penetration testing, or secure software engineering (senior level).
• Demonstrated experience with secure SDLC practices, threat modeling, secure code review, and driving remediation with engineering teams.
• Hands-on expertise in web and API security testing and common vulnerability classes (authn/authz, injection, SSRF, access control, crypto misuse, etc.).
• Proficiency in at least one programming language (e.g., Python, Java, Go, JavaScript/TypeScript, C#) and ability to review production code.
• Experience building or operating security tooling and automation in CI/CD environments; comfort with scripting and APIs.
• Required AI/LLM security experience: prompt injection/jailbreak testing and understanding of LLM application threat models (RAG leakage, system prompt exposure, tool/function calling abuse, agent misuse).
• Excellent written and verbal communication skills; ability to influence stakeholders and mentor engineers.

Other Job Info

Location: India (City flexible; hybrid/remote depending on team needs).

Shift hours can be mainly 1st shift local time, with some meetings during US business hours, complemented with flexible scheduling.

Security Requirement:

Responsible for preserving the Confidentiality, Integrity, and Availability (CIA) of company information assets in accordance with the organization’s information security program.

Don’t have all the skills/experience mentioned above? At Granicus, we are trying to build diverse, inclusive teams. We do not have degree requirements for most of our roles. If you don’t meet every requirement above but are excited to learn more, we encourage you to apply. We might just be able to find another role that could be a perfect fit!

Security and Privacy Requirements

• Responsible for Granicus information security by appropriately preserving the Confidentiality, Integrity, and Availability (CIA) of Granicus information assets in accordance with the company's information security program.
• Responsible for ensuring the data privacy of our employees and customers, their data, as well as taking all required privacy training in a timely manner, in accordance with company policies.

The Team

• We are a remote-first company with a globally distributed workforce across the United States, Canada, United Kingdom, India, Armenia, Australia, and New Zealand.

The Culture

• At Granicus, we are building a transparent, inclusive, and safe space for everyone who wants to be
  a part of our journey.
• A few culture highlights include – Employee Resource Groups to encourage diverse voices
• Coffee with Mark sessions – Our employees get to interact with our CEO on very important and
  sometimes difficult issues ranging from mental health to work-life balance and current affairs.
• Microsoft Teams communities focused on wellness, art, furbabies, family, parenting, and more.
• We bring in special guests from time to time to discuss issues that impact our employee
  population
  
  

The Impact

• We are proud to serve dynamic organizations around the globe that use our digital solutions to make the world a better place — quite literally. We have so many powerful success stories that illustrate how our solutions are impacting the world. See more of our impact here.