Application Security Engineer

About This Job

We are seeking a Security Engineer with deep expertise in application security platforms to own, operate, and optimize our WAF, bot defense, API security, and application testing tools. This role will focus on ensuring these platforms are well-configured, continuously tuned, and delivering maximum security value with minimal business friction.

The Security Engineer will also serve as the incident response lead for application-layer attacks, participate in the on-call rotation, and work primarily during Pacific Time (PT) business hours to align with our operations.

Key Responsibilities

• AppSec Tool Management & Optimization

  • Administer and tune Cloudflare WAF, maintaining rules, policies, and custom configurations.

  • Manage and optimize bot defense platforms (e.g., F5/Shape, Arkose) to mitigate automated fraud, scraping, and credential stuffing.

  • Oversee and tune API security solutions (e.g., Traceable) for visibility, anomaly detection, and protection.

  • Operate DAST and SAST platforms, ensuring they are integrated into CI/CD and providing actionable insights.

• Security Operations & Incident Response

  • Lead response to AppSec-related incidents, including botnet activity, API abuse, and web exploitation attempts.

  • Participate in the on-call rotation, ensuring timely detection, escalation, and remediation of critical application security events.

  • Build playbooks for WAF/bot/API incident handling and drive continuous improvement of detection/response.

  • Collaborate with SOC, DevOps, and development teams to remediate issues and strengthen defenses.

• Continuous Improvement

  • Tune tools to reduce false positives and improve detection accuracy.

  • Track tool coverage and effectiveness, providing metrics and reports to leadership.

  • Engage with vendors to leverage updates, intelligence feeds, and advanced features.

• Collaboration & Governance

  • Partner with application teams to align security policies with business requirements.

  • Support compliance initiatives by ensuring tooling configurations meet regulatory/security standards.

Key Responsibilities

• AppSec Tool Management & Optimization

  • Administer and tune Cloudflare WAF, maintaining rules, policies, and custom configurations.

  • Manage and optimize bot defense platforms (e.g., F5/Shape, Arkose) to mitigate automated fraud, scraping, and credential stuffing.

  • Oversee and tune API security solutions (e.g., Traceable) for visibility, anomaly detection, and protection.

  • Operate DAST and SAST platforms, ensuring they are integrated into CI/CD and providing actionable insights.

• Security Operations & Incident Response

  • Lead response to AppSec-related incidents, including botnet activity, API abuse, and web exploitation attempts.

  • Participate in the on-call rotation, ensuring timely detection, escalation, and remediation of critical application security events.

  • Build playbooks for WAF/bot/API incident handling and drive continuous improvement of detection/response.

  • Collaborate with SOC, DevOps, and development teams to remediate issues and strengthen defenses.

• Continuous Improvement

  • Tune tools to reduce false positives and improve detection accuracy.

  • Track tool coverage and effectiveness, providing metrics and reports to leadership.

  • Engage with vendors to leverage updates, intelligence feeds, and advanced features.

• Collaboration & Governance

  • Partner with application teams to align security policies with business requirements.

  • Support compliance initiatives by ensuring tooling configurations meet regulatory/security standards.

Required Qualifications

• 4–6+ years of experience in information security or application security operations.

• Hands-on experience with Cloudflare WAF (or equivalent enterprise WAF).

• Experience managing bot defense tools (F5/Shape, Arkose, or similar).

• Familiarity with API security solutions (Traceable, Salt, or similar).

• Experience with DAST and/or SAST platforms in an enterprise environment.

• Strong understanding of OWASP Top 10 and API Security Top 10 threats.

• Background in incident response, particularly application and API security events.

• Willingness to participate in an on-call rotation for AppSec-related incidents.

• Ability to work Pacific Time (PT) business hours to support operational coverage.

Preferred Qualifications

• Experience integrating AppSec tools into CI/CD pipelines.

• Familiarity with SIEM/SOAR platforms for AppSec event enrichment and automation.

• Knowledge of cloud security (AWS, Azure, GCP) in relation to web and API workloads.

• Industry certifications (e.g., GWAPT, GWEB, CCSK, AWS Security Specialty) are a plus.

About Axos

Born digital-first, Axos delivers financial tools and services that allow individuals, small businesses, and companies to access and manage their money how, when, and where they want. We're a diverse team of dynamic, insightful, and independent innovators who are excited to provide technology-driven solutions that offer unbeatable value to our customers.

Axos Financial is our holding company and is publicly traded on the New York Stock Exchange under the symbol "AX" (NYSE: AX).

Learn More about working at Axos Business Center

Pre-Employment Background Check, Medical, and Drug Test:

All offers are contingent upon the candidate successfully passing a credit check, criminal background check, and pre-employment medical and drug screening. 

Equal Employment Opportunity:

Axos is an Equal Opportunity employer. We are committed to providing equal employment opportunities to all employees and applicants without regard to race, religious creed, color, sex (including pregnancy, breast feeding and related medical conditions), gender, gender identity, gender expression, sexual orientation, national origin, ancestry, citizenship status, military and veteran status, marital status, age, protected medical condition, genetic information, physical disability, mental disability, or any other protected status in accordance with all applicable federal, state, and local laws.

Job Functions and Work Environment:

While performing the duties of this position, the employee is required to sit for extended periods of time. Manual dexterity and coordination are required while operating standard office equipment such as computer keyboard and mouse, calculator, telephone, copiers, etc.

The work environment characteristics described here are representative of those an employee may encounter while performing the essential functions of this position. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions of this position.