Application Security Engineer

Imagine a world where banking is not just a transaction but a transformative experience. Welcome to Axos Business Center We're on a mission to redefine the financial landscape with innovation, creativity, and customer-centric solutions at the core of everything we do. #Banking Evolved.

Ready to dive into a new chapter in your career journey and make your mark this year? We need visionary minds like yours Join our team and become part of a dynamic force that's reshaping how people interact with their finances.

Your next big opportunity is just a click away

**We are seeking a Security Engineer with deep expertise in application security platforms to own, operate, and optimize our WAF, bot defense, API security, and application testing tools. This role will focus on ensuring these platforms are well-configured, continuously tuned, and delivering maximum security value with minimal business friction.

The Security Engineer will also serve as the incident response lead for application-layer attacks, participate in the on-call rotation, and work primarily during Pacific Time (PT) business hours to align with our operations.**

Key Responsibilities

• AppSec Tool Management & Optimization

• Administer and tune Cloudflare WAF, maintaining rules, policies, and custom configurations.

• Manage and optimize bot defense platforms (e.g., F5/Shape, Arkose) to mitigate automated fraud, scraping, and credential stuffing.
• Oversee and tune API security solutions (e.g., Traceable) for visibility, anomaly detection, and protection.
• Operate DAST and SAST platforms, ensuring they are integrated into CI/CD and providing actionable insights.

• Security Operations & Incident Response

• Lead response to AppSec-related incidents, including botnet activity, API abuse, and web exploitation attempts.

• Participate in the on-call rotation, ensuring timely detection, escalation, and remediation of critical application security events.
• Build playbooks for WAF/bot/API incident handling and drive continuous improvement of detection/response.
• Collaborate with SOC, DevOps, and development teams to remediate issues and strengthen defenses.

• Continuous Improvement

• Tune tools to reduce false positives and improve detection accuracy.

• Track tool coverage and effectiveness, providing metrics and reports to leadership.
• Engage with vendors to leverage updates, intelligence feeds, and advanced features.

• Collaboration & Governance

• Partner with application teams to align security policies with business requirements.

• Support compliance initiatives by ensuring tooling configurations meet regulatory/security standards.

Key Responsibilities

• AppSec Tool Management & Optimization

• Administer and tune Cloudflare WAF, maintaining rules, policies, and custom configurations.

• Manage and optimize bot defense platforms (e.g., F5/Shape, Arkose) to mitigate automated fraud, scraping, and credential stuffing.
• Oversee and tune API security solutions (e.g., Traceable) for visibility, anomaly detection, and protection.
• Operate DAST and SAST platforms, ensuring they are integrated into CI/CD and providing actionable insights.

• Security Operations & Incident Response

• Lead response to AppSec-related incidents, including botnet activity, API abuse, and web exploitation attempts.

• Participate in the on-call rotation, ensuring timely detection, escalation, and remediation of critical application security events.
• Build playbooks for WAF/bot/API incident handling and drive continuous improvement of detection/response.
• Collaborate with SOC, DevOps, and development teams to remediate issues and strengthen defenses.

• Continuous Improvement

• Tune tools to reduce false positives and improve detection accuracy.

• Track tool coverage and effectiveness, providing metrics and reports to leadership.
• Engage with vendors to leverage updates, intelligence feeds, and advanced features.

• Collaboration & Governance

• Partner with application teams to align security policies with business requirements.

• Support compliance initiatives by ensuring tooling configurations meet regulatory/security standards.

Required Qualifications

• 4–6+ years of experience in information security or application security operations.
• Hands-on experience with Cloudflare WAF (or equivalent enterprise WAF).
• Experience managing bot defense tools (F5/Shape, Arkose, or similar).
• Familiarity with API security solutions (Traceable, Salt, or similar).
• Experience with DAST and/or SAST platforms in an enterprise environment.
• Strong understanding of OWASP Top 10 and API Security Top 10 threats.
• Background in incident response, particularly application and API security events.
• Willingness to participate in an on-call rotation for AppSec-related incidents.
• Ability to work Pacific Time (PT) business hours to support operational coverage.

Preferred Qualifications

• Experience integrating AppSec tools into CI/CD pipelines.
• Familiarity with SIEM/SOAR platforms for AppSec event enrichment and automation.
• Knowledge of cloud security (AWS, Azure, GCP) in relation to web and API workloads.
• Industry certifications (e.g., GWAPT, GWEB, CCSK, AWS Security Specialty) are a plus.