TL;DR: We’re looking for a deeply technical Application Security Engineer to embed inside engineering and help secure Cloudsmith 2.0, the operating system for the modern software supply chain. The ideal person is a software engineer at heart who chose to specialize in security. You should be comfortable moving between code, architecture, and security design.

About Cloudsmith

Cloudsmith is building the operating system for the modern software supply chain.

We run a global, fully managed, multi-tenant SaaS platform that helps organizations, from startups to the Fortune 500, secure, govern, and distribute software artifacts at scale.

Worldwide, our customers use Cloudsmith as a critical infrastructure control plane for CI/CD, developer workflows, security controls, compliance, and software distribution, supporting 30+ formats and ecosystems across languages, containers, and operating systems.

We recently raised our Series C to accelerate Cloudsmith 2.0: deeper artifact intelligence, stronger policy and provenance, faster package-aware delivery, and infrastructure built for engineering teams, as well as the modern AI-driven software factory.

By developers, for developers: we care about craft, architecture, and enterprise scale.

The Role

As a Senior Application Security Engineer, you’ll report to the Head of Security and embed directly into one of our engineering tribes.

You’ll work alongside Engineering Managers, Product Managers, Principal Engineers, and product engineers as part of the tribe’s day-to-day rhythm. Your job is to advocate for security from within the core engineering function, not from the sidelines.

That means joining design discussions early, reviewing code and architecture, identifying risks early, and helping the tribe land secure, pragmatic fixes. We are building a model where security engineers are part-IC, part-security specialist.

You should be able to contribute directly, but your greater leverage lies in raising the security judgment of the engineers around you, so good security becomes part of how we work.

Key Responsibilities

• Embed inside an engineering tribe and participate in planning, design review, code review, incident learning, and delivery conversations.

• Collaborate across security, platform, and engineering guilds so security work routes to the right team, at the right time, with the right priority.

• Threat-model product and platform changes across APIs, workers, data stores, queues, object storage, CDNs, identity, policy, and tenant boundaries.

• Review production code and architecture for authentication, authorization, data access, secrets handling, artifact integrity, signing, auditability, and abuse cases.

• Build and improve security tooling, paved roads, checks, libraries, and automation that make securing Cloudsmith easier for engineers.

• Tune and operate security controls across SAST, DAST, SCA, secrets scanning, container scanning, IaC scanning, dependency analysis, and runtime signals.

• Investigate, triage, and remediate vulnerabilities identified through internal testing, third-party testing, responsible disclosure, customer reports, and security tooling.

• Support security incidents, red/blue exercises, detection work, and post-incident actions, improvements, and other investigatory/preventative follow-ups.

• Support technical control work for SOC 2, ISO 27001, EU CRA, and related frameworks, working with GRC where security engineering input is needed.

• Raise the tribe's security capability by helping engineers understand risks, threat-model their own work, and recognize what good secure design looks like.

Required Experience, Qualities & Skills

Technical Depth

• Around 5+ years of hands-on application security experience, or equivalent experience across software engineering and security, with security as your recent focus.

• Deep software engineering craft, with a focus on Python. Familiarity with TypeScript, Go, or Rust is an advantage. Effective use of ownership-driven AI is useful.

• Deep web and API security knowledge: OWASP Top 10, business logic flaws, authn/authz design, token handling, REST, GraphQL, and multi-tenant access control.

• Practical threat modeling and vulnerability research experience against real applications, APIs, cloud-native systems, and distributed services.

• Strong cloud-native security experience, especially across AWS, IAM, KMS, S3, containers, Terraform, CI/CD, secrets handling, logging, and multi-tenant isolation.

• Sound judgment on vulnerability priority. You understand CVSS, but you care more about exploitability, reachability, tenant impact, and production reality.

• Ability to reason through production systems: APIs, queues, caches, databases, workers, CDNs, object storage, edge delivery, telemetry, and failure modes.

• Clear communication in a remote-first environment. Your threat models, risk write-ups, incident notes, and feedback should be useful to engineers and credible to leadership.

Software Supply Chain & Security

Cloudsmith is not just another SaaS product. We are the artifact control plane for our customers’ software supply chains. You should understand, or be excited to go deep on:

• Ecosystems such as npm, PyPI, Docker/OCI, Maven, Helm, and Hugging Face.

• Software supply chain threats such as dependency confusion, typosquatting, malicious packages, maintainer compromise, metadata poisoning, and build-system injection.

• Artifact and registry concepts: immutable blobs, mutable metadata, package identity, checksums, upstream proxying, private repos, access control, caching, and promotion.

• Provenance and trust mechanisms such as SBOMs, signing, attestations, SLSA, Sigstore, in-toto, trusted publishing, and zero-trust software delivery.

Bonus Points

• Experience securing artifact management, package registry, container registry, CI/CD, DevOps, developer tooling, or supply chain security platforms.

• Experience with secure runtime environments, sandboxing, workload isolation, policy engines, OPA/Rego, eBPF, or similar control points.

• Contributions to open-source security tooling or supply chain security projects.

• Familiarity with Datadog, AWS Security Hub, Okta, GitHub Advanced Security, Snyk, Semgrep, Trivy, Wiz, or similar tooling.

• Useful, but not required: certs such as OSCP, CSSLP, GPEN, GWAPT, GCSA, or CISSP.

Cultural Values We're Looking For

• Engineering-first security: You operate as an engineer first for security problems.

• Builder mindset: You fix code and automate the boring parts to accelerate others.

• Practical paranoia: You can think like an attacker without losing sight of practicality.

• High standards, low ego: You raise the bar without devolving into arguments.

• Clear thinking: You can turn messy problems into decisions and trade-offs.

• Ownership: You care deeply about the security of the product, platform, and company.

Impact & Growth

This role helps shape application security for a platform that secures the software supply chain for organizations from startups to the Fortune 500.

AI is increasing the rate at which software is created, changed, assembled, and shipped. Enterprises need stronger controls, better provenance, clearer trust decisions, and a faster path to delivery.

Cloudsmith is building the critical infrastructure to record, govern, and deliver software artifacts at scale. You’ll help make that infrastructure safer from the inside.

As the function grows, you’ll have the opportunity to shape our application security roadmap, define how security engineers embed within tribes, influence secure engineering patterns, mentor future security hires, and represent Cloudsmith externally in the security community.

Benefits, Location & Work Environment

You must be based in Ireland or the United Kingdom and have the right to work independently without requiring sponsorship.

Headlines

• A position based in Ireland or the United Kingdom.

• A competitive compensation package, including equity.

• With comprehensive health, dental, and vision insurance.

• Plus, generous annual leave and flexible working policies to suit your lifestyle.

• Including a professional development budget for conferences and training.

• In a dynamic, innovative, trust-centric, and supportive work environment.

• Belfast HQ, used for working sessions, planning, all-hands, and team events.

• Opportunity to help shape a fast-growing company building critical infrastructure.

• Regular travel may be required for team meetings, planning, customers, and events.

Health and Wellness

We care about the health and wellness of our people and their families. Sustainable pace matters. We offer generous annual leave, health and wellbeing benefits, and flexible family-friendly working policies.

Personal Growth

You will have room to grow alongside strong colleagues. We support professional development through budgets for equipment, training, books, conferences, travel, and certifications.

Facilities

Cloudsmith is headquartered in Belfast, Northern Ireland, with fully equipped office space for working sessions, planning, meetups, and team activities. We rely on Slack, Google Docs, Linear, and other tools to collaborate across locations.

About Equal Opportunity

Cloudsmith is an equal-opportunity employer, proud to nurture a diverse workplace that welcomes applications from individuals of all races, genders, and ethnicities. We do not discriminate based on age, religion, sexual orientation, citizenship status, military service, or health conditions. We will not tolerate discrimination of any kind.

Department

Security

Locations

NI/GB/ROI