Sr. Staff Product Security Engineer

RDQ226R536

About the Team

The Product Security Team at Databricks is responsible for embedding security throughout the Software Development Lifecycle (SDLC). Our mission is to left-shift securityensuring that all code whether powering customer-facing features or supporting internal infrastructure is developed with security in mind from the start. By reducing the likelihood of introducing vulnerabilities and minimizing the impact of externally reported issues we safeguard Databricks products and services at scale.

Role Overview

As a Product Security Engineer you will play a key role in securing the features and infrastructure that power Databricks. You will partner closely with engineering teams across the organization to design secure systems conduct security reviews and enable scalable repeatable secure development practices through automation paved pathways and guardrails.

Youll support the full spectrum of security within the SDLCfrom architecture and threat modeling through secure coding pentesting and deployment. In addition you will contribute to incident and vulnerability response efforts and help scale our security influence through tools frameworks and processes that support both engineers and compliance needs.

Responsibilities

• Partner with product and engineering teams to design secure systems identify risks early and guide the development of robust solutions
• Conduct comprehensive security reviews including threat modeling design analysis manual code reviews and exploit development to validate potential weaknesses
• Design and build guardrails that prevent common security mistakes and ensure consistent enforceable policies across services
• Develop and maintain paved pathwayssecure-by-default development patterns frameworks and tools that enable engineering teams to build securely without friction
• Triage and analyze findings from Static Application Security Testing (SAST) tools distinguishing false positives from genuine issues and performing variant analysis to identify similar vulnerabilities across the codebase.
• Operate and evolve Dynamic Application Security Testing (DAST) tooling and automation to support vulnerability detection and defect tracking
• Support incident response (IR) and vulnerability response (VRP) workflows as needed partnering with internal teams to investigate and remediate security events
• Enhance internal security automation frameworks and integrations to meet evolving compliance and regulatory requirements (e.g. FedRAMP PCI HIPAA)
• Contribute to the continuous improvement of SDLC-integrated security processes with a focus on risk-based prioritization real-world impact and the implementation of AI-assisted tooling to enhance efficiency accuracy and scalability.

What we look for

• 10 years of experience in product or application security with deep expertise in securing large-scale distributed systems
• Extensive experience influencing architectural decisions embedding security-by-design principles and aligning security goals with business objectives
• Proven leadership in cross-functional initiatives including incident response security reviews and risk management at scale
• Recognized mentor and technical leader enabling the growth of security-minded culture through coaching training and collaboration
• Thought leader in emerging security technologies and practices including the integration of AI/ML to scale security operations and tooling
• Expertise in at least two of the following domains:
• Ability to read code and identify security defects in two or more programming languages (e.g. Python Java Scala JavaScript)
• Hands-on experience with exploit development proof-of-concept creation or exploit chaining
• Strong automation skills for building security tools and processes using AI-agents (think Cursor Goose VSCode etc)
• Familiarity with fuzzing techniques is a plus
• Pragmatic approach to securityprioritizing risk management over theoretical severity
• Other good to have credentials

Required Experience:

Staff IC