Apptad-Principal Consultant Agentic AI Cybersecurity Engineer

Job Title: Principal Consultant / Agentic AI Cybersecurity Engineer

Job Location: Toronto ON (Mandate 4 days onsite)

Job Duration: Full Time

Overview:

Candidate will work hands-on alongside our cybersecurity engineering and application security teams to build operate and advance the agentic AI systems that find exploit and remediate vulnerabilities end-to-end across our application and infrastructure estate. Operating at a principal engineer level you will personally direct frontier AI models do discover vulnerabilities in production code develop proof-of-concept exploits generate and validate fixes and integrate them into CI/CD pipelines with safe human-in-the-loop controls. Candidate will also build reusable AI skills prompts and tooling that make agentic vulnerability management efficient and scalable across the estate. Candidate will bring deep dual expertise across offensive and defensive security penetration testing and software engineering and apply that fluency to push the boundaries of what is possible with agentic AI in a regulated enterprise environment.

What will you do

• Architect and operationalize the end-to-end agentic AI patching pipeline spanning detection fix generation automated testing and release across SAST DAST SCA IAST container and server vulnerabilities.
• Use frontier AI models to discover novel vulnerabilities in production application and infrastructure code develop proof-of-concept exploits and validate that AI-generated fixes close the underlying root cause.
• Build and maintain the library of reusable AI skills prompts evaluation harness and tooling that power agentic vulnerability discovery triage remediation false positive analysis and exemption workflows at scale.
• Design and operationalize AI-driven false positive analysis and exemption processes to reduce manual triage burden and surface only actionable findings to development teams.
• Conduct hands-on penetration testing and red team exercise against critical applications and infrastructure to validate defensive controls and agent-generated remediations.
• Extend agentic remediation coverage across SAST SCA DAST IAST container and server vulnerabilities including the data and tooling needed to connect findings back to source.
• Design agent prompting guardrails evaluation frameworks and appropriate human-in-the-loop controls to ensure safe autonomous code changes testing and deployment.
• Drive integration of agentic remediation into enterprise CI/CD pipelines (Github Jenkins etc.) across the deployment landscape.
• Communicate technical design risk trade-offs and delivery progress clearly to senior stakeholders including CIO CISO 2LOD and Audit functions.

Must-have:

• 10 years hands-on experience across software engineering offensive security and defensive security at a principal engineer level with demonstrated personal contributions to production codebases and published vulnerability research or penetration testing engagements.
• Advanced technical proficiency in multiple programming language (Java C# C C Python JavaScript/ Go) with proven ability to personally write review and remediate production code.
• Deep fluency in vulnerability classes including memory safety injection authentication and authorization flaws cryptographic misuse deserialization race conditions and supply chain attacks with hands-on experience finding and exploiting each.
• Extensive hands-on experience with penetration testing red teaming exploit development reverse engineering and secure code review against OWASP Top 10 and SANS 25 combined with defensive engineering experience building detection and remediation capabilities.
• Extensive hands-on experience with application security testing tools (SAST DAST IAST SCA) including tuning false positive analysis exemption workflow design and enterprise vulnerability management at scale.
• Deep technical fluency with agentic AI coding tools and frameworks (Claude Devin Copilot Windsurf Cursor MCP including prompt engineering agent orchestration reusable skill and tool design guardrail design and evaluation.
• Strong architectural knowledge of modern container platforms (Docker Kubernetes) cloud-native deployment patterns and integration of security automation into developer workflows.

Nice-to-have:

• Relevant security certifications (OSCP OSCE OSEP GXPN GWAPT CISSP or equivalent).
• Experience in financial services or highly regulated industries with exposure to SOX SOC1 and regulatory audit.
• Public evidence of offensive capability: published CVEs bug bounty track record conference talks (DEFCON Black Hat Offensive Con Recon) CTF placements or open-source security tooling contributions.
• Hands-on experience with enterprise vulnerability tooling (Tenable Aqua Snyk BrightSec) and remediation at scale.
• Demonstrated ability to advise senior technology leaders and deliver within complex multi-stakeholder enterprise environments.