Principal Engineer — Product & Application Security
San Mateo, CA - USA
Job Summary
We are looking for a Principal Engineer Product & Application Security to be the top technical authority for how Freshworks builds secure software. As an IC6 Principal you set the multi-year security technical vision for our products and platform make the calls on our hardest security-architecture problems and are the person the company relies on when the stakes are highest across a multi-tenant SaaS estate serving 72000 customer accounts and hundreds of integrations.
As Freshworks evolves from a suite of service products into an AI-first system of business intelligence with autonomous agents a Knowledge and Context Graph and a growing agentic surface the security bar must rise with it. This role goes beyond leading individual reviews and remediations: you define the secure-by-design paradigms reference architectures and organization-wide standards that determine how thousands of engineers ship and you drive the strategic bets (AI/agent security supply-chain integrity zero-trust data protection) that keep Freshworks ahead of the threat curve.
You will operate as a company-wide force multiplier writing code and reference implementations setting technical direction that outlives any single project mentoring Staff and Senior Staff security engineers and partnering directly with VP Engineering the CISO organization and product leadership to make security a durable competitive advantage.
Key Responsibilities
Security Technical Vision & Strategy
- Own the multi-year technical vision and architecture strategy for product and application security across all Freshworks products (Freshdesk Freshservice and the shared Platform) and drive alignment on it across engineering and the CISO organization
- Define the secure-by-design reference architectures paradigms and organization-wide standards (authN/authZ tenant isolation data protection secrets API security) that thousands of engineers build against
- Set the strategic security agenda for the AI-first platform securing the AI Agent Platform Knowledge/Context Graph and agentic workflows anticipating threat classes before they reach production
- Act as the final technical decision-maker and tie-breaker on the hardest highest-risk security-architecture trade-offs
Product & Application Security Engineering
- Lead threat modeling and security design reviews for the most critical cross-cutting and highest-risk systems including identity and access the integrations/connector framework (300 apps) and the agent runtime
- Set the standard for secure code review manual and AI-assisted penetration testing and vulnerability analysis; drive root-cause remediation strategies that eliminate whole vulnerability classes across the estate not one bug at a time
- Architect and harden multi-tenant security controls: strict tenant isolation authentication/authorization models secrets management data protection and API gateway security
- Own the security design for AI/agentic features prompt injection defense tool-invocation authorization non-human identity and permission-scoped context access
Left-Shift & Secure SDLC at Scale
- Define the organization-wide AI-assisted left-shift strategy: how SAST DAST (e.g. Snyk) SCA/dependency scanning secret detection and IaC scanning are embedded across every CI/CD pipeline to catch issues before production
- Set the direction for security tooling automation and paved-road frameworks and libraries that make the secure path the default path including code-component asset inventory (API/SBOM/RBAC/secrets/integrations) and secure-by-default product hardening
- Own the software supply-chain security strategy: centralized software artifact repository management (e.g. Sonatype Nexus) code artifact repository guardrails and CI/CD pipeline hardening
- Establish secure coding standards golden patterns and guardrails; operationalize threat modeling and maturity models (SAMM) across the product portfolio; and define the security quality gates the whole org is measured against
Vulnerability Management & Incident Response
- Serve as the top technical escalation point for the most severe security incidents leading investigation containment strategy and post-incident architectural hardening
- Set the risk-based prioritization framework for findings from internal testing bug bounty third-party pen tests and researcher disclosures and drive systemic fixes
- Shape the strategy for the bug bounty and responsible-disclosure program
Technical Leadership & Influence
- Act as the recognized top IC authority for product security mentoring and multiplying Staff and Senior Staff engineers and security champions and raising the security bar across the entire engineering organization
- Influence company-level strategy: advise VP Engineering the CISO organization and product leadership; represent Freshworks product-security posture to enterprise customers auditors and (where appropriate) the external security community
- Drive cross-organizational security initiatives to completion through technical credibility and clarity building consensus across many teams without formal authority
Security Domains Youll Set Direction On
You will be expected to provide deep technical direction and roll up your sleeves across the full product security roadmap including:
- Compliance & trust enablement: internal and external pen testing (PCI vault VAPT) Google CASA TX-RAMP control validation SDLC documentation control reviews audit evidence risk assessment prioritization and new-product-introduction (NPI) security assessments
- Continuous security assessment & automation: DAST onboarding for public APIs and continuous-deployment integration SCA bug triage CI/CD environment assessment continuous control monitoring security scorecards and anomaly-detection rule configuration
- Shift-security-left: code-component asset inventory (API/SBOM/RBAC/secrets/integrations) supply-chain attack prevention threat-modeling operationalization and product-security maturity models (SAMM)
- Product security features: step-up authentication for sensitive operations SCIM/secure SAML OIDC federated SSO OAuth for APIs and third-party apps secrets injection customer data masking field-level encryption BYOK DNSSEC header hardening (CSP/X-Frame) IMDSv2 egress proxy enforcement hardcoded-secret cleanup IAM role right-sizing SIEM audit-log integration and SSPM tool integration
Metrics & Impact
- Define the security KPIs the organization is held to: reduction in high/critical findings reaching production coverage of critical services by threat models mean time to remediate and adoption of secure-by-default frameworks
- Deliver a measurable sustained reduction in exploitable risk across the entire product portfolio while improving not slowing engineering velocity
Qualifications :
Professional Experience
- 12 years in software engineering and/or security with deep sustained hands-on ownership of application/product security for production SaaS at enterprise scale
- Track record as a Principal-level (or equivalent) individual contributor whose technical vision and standards shaped an entire engineering organization you have defined direction that outlived individual projects
- Deep experience securing multi-tenant cloud-native SaaS platforms (ideally on AWS) including tenant isolation authN/authZ and API security at scale
- Demonstrated impact eliminating vulnerability classes and setting the security frameworks reference architectures or paved roads adopted org-wide
Technical Expertise
- Authoritative current knowledge of application security anchored in OWASP frameworks Web Top 10 API Security Top 10 ASVS the LLM Top 10 and the newer OWASP Agentic AI Top 10 (the real-world attack classes targeting autonomous agents) plus secure design patterns authentication/authorization (OAuth 2.0 OIDC SAML SCIM) session management and cryptography
- Mastery of threat modeling (e.g. STRIDE) secure code review and both manual and AI-assisted penetration testing across web API and cloud surfaces
- Deep experience embedding security into CI/CD at scale: SAST DAST (e.g. Snyk Snyk Code) SCA secret scanning IaC scanning artifact-repository management (e.g. Sonatype Nexus) and container/Kubernetes security aligned to the OWASP Kubernetes Top Ten (RBAC workload isolation supply-chain and misconfiguration risks)
- Strong coding ability in one or more of Ruby Java Go Python or JavaScript/TypeScript enough to build reference implementations and security tooling and to be credible in any code review
- Deep cloud security expertise (AWS preferred): IAM and role right-sizing network/egress controls KMS/secrets management BYOK/field-level encryption and infrastructure-as-code (Terraform/CloudFormation)
- Authoritative grasp of cryptographic and compliance standards relevant to enterprise SaaS e.g. FIPS 140-2/140-3 PCI SOC 2 ISO 27001 and Google CASA / TX-RAMP control frameworks
- Deep understanding of securing AI/LLM and agentic systems including Claude and other LLM security concerns such as prompt injection insecure tool use model/data exposure and non-human identity
Leadership & Influence
- Ability to set technical direction for and influence an entire engineering organization and senior executives (VP/CISO) through technical credibility and clear communication
- A genuine service-oriented make the secure path the easy path mindset toward internal developers
- A multiplier: track record of growing Staff and Senior Staff engineers and building a durable security-champion culture across distributed teams
Nice to Have
- Deep experience securing ITSM CX/CRM or service-management products and their data models
- Recognized external contributions: open-source security projects published research CVEs standards bodies or conference talks (e.g. Black Hat DEF CON OWASP)
- Industry certifications such as OSCP OSWE GWAPT CISSP or equivalent (valued not required)
- Experience defining or scaling bug bounty / responsible-disclosure programs
- Deep familiarity with modern AI/ML stacks LLMs embeddings RAG pipelines and agent frameworks (LangGraph MCP A2A) and their security models
- Experience shaping compliance and audit programs (SOC 2 ISO 27001 FedRAMP GDPR)
Additional Information :
Please note this is a hybrid role with onsite expectations of 3x/week (Tues - Thurs) from our San Mateo CA headquarters.
The annual base salary range for this position is $241000 - $298000. This role is also eligible for a target bonus.
Compensation is based on a variety of factors including but not limited to location experience job-related skills and level.
Freshworks offers multiple options for dental medical vision disability and life insurance. Equity ESPP flexible PTO flexible spending commuter benefits and wellness benefits are also offered. Freshworks also offers adoption and parental leave benefits.
At Freshworks we have fostered an environment that enables everyone to find their true potential purpose and passion welcoming colleagues of all backgrounds genders sexual orientations religions and ethnicities. We are committed to providing equal opportunity and believe that diversity in the workplace creates a more vibrant richer environment that boosts the goals of our employees communities and business. Fresh vision. Real impact. Come build it with us.
Remote Work :
No
Employment Type :
Full-time
About Company
Freshworks makes it fast and easy for businesses to delight their customers and employees. We do this by taking a fresh approach to building and delivering software that is affordable, quick to implement, and designed for the end user. Headquartered in San Mateo, California, Freshwork ... View more