Senior Product Security Engineer

Charlotte, VT - USA

Monthly Salary: Not Disclosed

Posted on: Yesterday

Vacancies: 1 Vacancy

Job Summary

Intuit Credit Karma is a mission-driven company focused on championing financial progress for our more than 140 million members globally. While were best known for pioneering free credit scores our members turn to us for everything related to their financial goals including identity monitoring applying for credit cards shopping for insurance and loans (car home and personal) and savings accounts and checking accounts* all for free. Credit Karma has grown significantly through the years: we now have more than 1700 employees across our offices in Oakland Charlotte Culver City San Diego London Bangalore and New York City.

*Banking services provided by MVB Bank Inc. Member FDIC

Were hiring a Senior Product Security Engineer to lead the design and deployment of security capabilities across both traditional application security and AI/ML systems. Youll build and integrate security tooling leveraging open-source and vendor solutions to strengthen our Secure Development Lifecycle and vulnerability reduction efforts (including SAST DAST SCA secrets scanning and vulnerability management) while also securing the full AI lifecycle: data ingestion training/fine-tuning evaluation model registry inference agentic workflows and MCP servers/tools.

Youll partner closely with product engineering ML engineering and platform teams to implement scalable controls define standards and operationalize continuous assurance across apps and AI systems covering secure coding practices supply chain integrity identity and access controls runtime protections and AI-specific risks such as model security prompt/tool safety and AI pipeline governance.

What Youll Do

Lead security architecture reviews and threat modeling across apps/APIs/cloud and AI/ML systems (agents MCP servers tool integrations orchestration).
Implement security controls across the SDLC and AI lifecycle.
Build secure-by-default automation and guardrails (policy-as-code CI/CD gates least privilege/sandboxing provenance verification).
Own and mature SAST/DAST/SCA and vuln management: tool tuning pipeline integration triage remediation workflows metrics/SLAs.
Evaluate and integrate OSS/vendor AppSec and AI security tooling (scanning secrets prompt safety agent runtime monitoring data leakage controls).
Deliver reusable secure patterns/SDKs and partner with platform teams on runtime hardening (IAM secrets Kubernetes logging/monitoring isolation).
Automate testing for OWASP and AI-specific risks; integrate into release gates and continuous monitoring.
Define standards aligned with enterprise policy and AISPM-style practices; enable teams and communicate risk/roadmaps to leadership.

What Were Looking For

6 years in product/application security in large-scale systems.
Demonstrated experience building or operationalizing security tooling (CI/CD integrations scanners policy engines security automation detection/monitoring).
Strong foundation in security architecture design reviews and threat modeling for modern cloud-native systems.
Practical understanding of AI/ML systems and workflows: model development lifecycle model registry/deployments evals vector databases/RAG and agent frameworks.
Deep familiarity with common software vulnerabilities (OWASP Top 10) and modern cloud threats; strong ability to communicate risk to engineers.
Ability to collaborate with software engineers and ML engineersmeeting business goals while enforcing security requirements.
Experience applying security and compliance frameworks (examples: NIST ISO 27001/27002 concepts SOC2 controls OAuth/OIDC PCI where relevant).
Proficiency in one or more: Python Go Java TypeScript/Node Rust Scala.

What Would Be Great to See

Hands-on experience securing agentic workflows tool calling function execution and MCP servers (or similar tool/plugin servers).
Experience with LLM platforms and deployments (e.g. GPT Gemini Claude Llama) and associated security risks and mitigations.
Familiarity with AI threat landscape and testing approaches: prompt injection (direct/indirect) tool injection RAG poisoning data leakage jailbreaks model extraction/inversion risks.
Experience with provenance and integrity controls: artifact signing attestations SBOMs SLSA-style build practices model/dataset lineage registry governance.
Familiarity with secure model onboarding (third-party/open model risk) license/compliance considerations and lifecycle governance.
Exposure to cloud security tooling and environments (e.g. GCP/AWS/Azure) Kubernetes service mesh IAM secrets management (Vault/KMS) OPA/policy-as-code CI/CD (CircleCI/GitHub Actions) and observability (Splunk).
Experience designing enterprise-wide security patterns and standards (reference architectures paved roads).
Strong cryptography fundamentals and real-world usage (TLS HMAC key management encryption at rest/in transit).

Benefits include:

Medical and Dental Coverage
Retirement Plan
Commuter Benefits
Wellness perks
Paid Time Off (Vacation Sick Baby Bonding Cultural Observance & More)
Education Perks
Paid Gift Week in December

Equal Employment Opportunity:

Credit Karma is proud to be an Equal Employment Opportunity Employer. We welcome all candidates without regard to race color religion age marital status sex (including pregnancy childbirth or related medical condition) sexual orientation gender identity or gender expression national origin veteran or military status disability (physical or mental) genetic information or other protected characteristic. We prohibit discrimination of any kind and operate in compliance with applicable fair chance laws.

Credit Karma is also committed to a diverse and inclusive work environment because it is the right thing to do. We believe that such an environment advances long-term professional growth creates a robust business and supports our mission of championing financial progress for everyone. We offer generous benefits and perks with a single eye to nourishing an inclusive environment that recognizes the contributions of all and fosters diversity by supporting our internal Employee Resource Groups. Weve worked hard to build an intensely collaborative and creative environment a diverse and inclusive employee culture and the opportunity for professional growth. As part of the Credit Karma team your voice will be heard your contributions will matter and your unique background and experiences will be celebrated.

Privacy Policies:

Credit Karma is strongly committed to protecting personal data. Please take a look below to review our privacy policies:

US Job Applicant Privacy Notice

UK Job Applicant Privacy Notice

India Job Applicant Privacy Notice

Required Experience:

Senior IC

*Banking services provided by MVB Bank Inc. Member FDIC

What Youll Do

Lead security architecture reviews and threat modeling across apps/APIs/cloud and AI/ML systems (agents MCP servers tool integrations orchestration).
Implement security controls across the SDLC and AI lifecycle.
Build secure-by-default automation and guardrails (policy-as-code CI/CD gates least privilege/sandboxing provenance verification).
Own and mature SAST/DAST/SCA and vuln management: tool tuning pipeline integration triage remediation workflows metrics/SLAs.
Evaluate and integrate OSS/vendor AppSec and AI security tooling (scanning secrets prompt safety agent runtime monitoring data leakage controls).
Deliver reusable secure patterns/SDKs and partner with platform teams on runtime hardening (IAM secrets Kubernetes logging/monitoring isolation).
Automate testing for OWASP and AI-specific risks; integrate into release gates and continuous monitoring.
Define standards aligned with enterprise policy and AISPM-style practices; enable teams and communicate risk/roadmaps to leadership.

What Were Looking For

6 years in product/application security in large-scale systems.
Demonstrated experience building or operationalizing security tooling (CI/CD integrations scanners policy engines security automation detection/monitoring).
Strong foundation in security architecture design reviews and threat modeling for modern cloud-native systems.
Practical understanding of AI/ML systems and workflows: model development lifecycle model registry/deployments evals vector databases/RAG and agent frameworks.
Deep familiarity with common software vulnerabilities (OWASP Top 10) and modern cloud threats; strong ability to communicate risk to engineers.
Ability to collaborate with software engineers and ML engineersmeeting business goals while enforcing security requirements.
Experience applying security and compliance frameworks (examples: NIST ISO 27001/27002 concepts SOC2 controls OAuth/OIDC PCI where relevant).
Proficiency in one or more: Python Go Java TypeScript/Node Rust Scala.

What Would Be Great to See

Hands-on experience securing agentic workflows tool calling function execution and MCP servers (or similar tool/plugin servers).
Experience with LLM platforms and deployments (e.g. GPT Gemini Claude Llama) and associated security risks and mitigations.
Familiarity with AI threat landscape and testing approaches: prompt injection (direct/indirect) tool injection RAG poisoning data leakage jailbreaks model extraction/inversion risks.
Experience with provenance and integrity controls: artifact signing attestations SBOMs SLSA-style build practices model/dataset lineage registry governance.
Familiarity with secure model onboarding (third-party/open model risk) license/compliance considerations and lifecycle governance.
Exposure to cloud security tooling and environments (e.g. GCP/AWS/Azure) Kubernetes service mesh IAM secrets management (Vault/KMS) OPA/policy-as-code CI/CD (CircleCI/GitHub Actions) and observability (Splunk).
Experience designing enterprise-wide security patterns and standards (reference architectures paved roads).
Strong cryptography fundamentals and real-world usage (TLS HMAC key management encryption at rest/in transit).

Benefits include: