Security Engineer (App Sec and Cloud Infra)

About the Cybersecurity team

The Security Engineering team at Thumbtack is focused on enabling innovation at scale by making the secure path the easiest path. We believe strong security is not a blocker to velocity, but a force multiplier when it is designed into systems, platforms, and developer workflows from the start.

We partner closely with Product, Engineering, Platform, and Data teams to shape system design, guide architectural decisions, and evolve Thumbtack’s security posture as the company scales. Through collaboration, automation, and thoughtful tradeoffs, we help ensure Thumbtack can ship fast, innovate boldly, and maintain customer trust.

Challenge

As Thumbtack scales and increasingly incorporates AI-powered features into our products and internal systems, security must evolve without slowing innovation. The number of services, deployment patterns, and data flows continues to grow, and traditional approaches that rely heavily on manual reviews or after-the-fact controls do not scale to meet this need.

Instead, the challenge is to design security into the system itself. This means building secure defaults, paved paths, and reusable building blocks that product and engineering teams can adopt with minimal friction. By embedding security directly into architectures, tooling, and infrastructure, we reduce cognitive load on engineers and enable teams to move quickly and confidently while meaningfully lowering risk.

What you'll do 

• Own and deliver application security work within defined projects or domains. Contribute to cross-functional security initiatives, executing clearly scoped pieces of larger efforts.
• Identify, prioritize, and help remediate application security risks in partnership with engineering teams.
• Apply secure-by-default patterns and approved architectures when designing or reviewing systems.
• Support cloud infrastructure security by integrating security controls into CI/CD pipelines, IAM, networking, and runtime environments.
• Partner with product and engineering teams to assess risk and recommend practical, risk-informed security improvements. Participate in application security design reviews and threat modeling for new and existing systems.
• Write code, reviews, and documentation to address vulnerabilities and reduce recurring classes of issues.
• Participate in security incident response and contribute to post-incident analysis and remediation.

In order to be successful, you must bring

• 4+ years of experience in software engineering, application security, or cloud infrastructure security. 
• Practical experience with application security techniques such as threat modeling, secure design patterns, authentication and authorization, secrets management, and vulnerability remediation. Strong understanding of secure coding practices and common application security risks (e.g., OWASP Top 10).
• Experience securing cloud-native systems in AWS and/or GCP.
• Ability to assess security risks and break down complex problems, reason about tradeoffs, make sound recommendations, and deliver practical, impactful solutions with guidance when needed.
• Strong sense of ownership over assigned work, with the ability to execute independently and follow through.
• Clear written and verbal communication skills, including the ability to explain security issues to engineers with varying levels of security expertise.
• A growth mindset and interest in learning from more senior engineers and expanding depth in both application and cloud infrastructure security over time.

Expected salary ranges

• For candidates living in San Francisco / Bay Area, San Jose, New York City, or Seattle metros, the expected salary range for the role is currently $177,700.00 - $229,900.00. 
• For candidates living in Austin, TX or Washington DC metros or in California, Massachusetts, New Jersey, or Washington states, the expected salary range for the role is currently $159,800.00 - $206,800.00. 
• For candidates living in all other US locations, the expected salary range for this role is currently $151,300.00 - $195,800.00.

Actual offered salaries will vary and will be based on various factors, such as calibrated job level, qualifications, skills, competencies, and proficiency for the role.

#LI-Remote