Security Research Engineer

Job Description Harness is a high-growth company that is disrupting the software delivery market. Our mission is to enable the 30 million software developers in the world to deliver code to their users reliably, efficiently, securely and quickly, increasing customers pace of innovation while improving the developer experience. We offer solutions for every step of the software delivery lifecycle to build, test, secure, deploy and manage reliability, feature flags and cloud costs. The Harness Software Delivery Platform includes modules for CI, CD, Cloud Cost Management, Feature Flags, Service Reliability Management, Security Testing Orchestration, Chaos Engineering, Software Engineering Insights and continues to expand at an incredibly fast pace. Harness is led by technologist and entrepreneur Jyoti Bansal, who founded AppDynamics and sold it to Cisco for $3.7B. We're backed with $425M in venture financing from top-tier VC and strategic firms, including J.P. Morgan, Capital One Ventures, Citi Ventures, ServiceNow, Splunk Ventures, Norwest Venture Partners, Adage Capital Partners, Balyasny Asset Management, Gaingels, Harmonic Growth Partners, Menlo Ventures, IVP, Unusual Ventures, GV (formerly Google Ventures), Alkeon Capital, Battery Ventures, Sorenson Capital, Thomvest Ventures and Silicon Valley Bank. Key Responsibilities - Contribute to research on modern attack vectors across source code, dependencies, build systems, and CI/CD pipelines. - Assist in developing scanning and detection techniques for SAST, SCA, and DAST to identify security flaws early in the development process. - Perform hands-on assessments of web applications, APIs, and build pipelines under guidance to uncover design flaws, misconfigurations, and dependency risks. - Study software supply chain threats and contribute to identifying and mitigating risks across open-source ecosystems. - Perform hands-on assessments of code, applications, APIs, and build pipelines under guidance to uncover design flaws, misconfigurations, and security risks. - Help build and test prototype tools that automate vulnerability detection and developer workflow integration. - Collaborate with research, product, and engineering teams to validate findings and implement security improvements in developer environments. - Stay current with new vulnerabilities, frameworks, and DevSecOps practices to identify emerging threats relevant to modern software delivery. - Document findings and share insights through internal reports, knowledge bases, or external blog drafts. Required Skills & Experience - Bachelor's degree in Computer Science, Cybersecurity, or a related field (or equivalent practical experience). - 1 - 4 years of experience application security or security research - Foundational understanding of Shift-Left Security concepts such as SAST, SCA, and DAST. - Understanding of CI/CD pipelines, build systems, and developer workflows. - Interest in AI and LLM models, and curiosity about how they impact software security (e.g., insecure code generation, data leakage, dependency risks). - Familiarity with dependency management ecosystems (npm, PyPI, Maven, Go modules) and basic knowledge of software supply chain risks. - Passion for research, security, and continuous learning, with a never-give-up attitude. - Knowledge of OWASP Top 10, API Top 10, LLM Top 10, CI/CD Top 10. - Strong analytical mindset with curiosity for exploring how attackers exploit weaknesses in code and pipelines. - Proficiency in Java and Python for prototyping and automating rule validation workflows. - Excellent communication, documentation, and cross-functional collaboration skills. Nice to Have - Contributions to open-source security projects, especially those related to the OWASP Top 10 or OWASP API Top 10. - Experience developing custom WAF/WAAP rule engines, threat classifiers, or signal correlation pipelines. - Background in API security, runtime protection, or detection engineering at scale. - Authored publications, technical blogs, or delivered conference talks. Harness In The News - Harness AI Tackles Software Development's Real Bottleneck - After Vibe Coding Comes Vibe Testing (Almost) - Startup Within a Startup: Empowering Intrapreneurs for Scalable Innovation - Jyoti Bansal (Harness) - Jyoti Bansal, Harness | theCUBEd Awards - Eight years after selling AppDynamics to Cisco, Jyoti Bansal is pursuing an unusual merger - Harness snags Split.io, as it goes all in on feature flags and experiments - Exclusive: Jyoti Bansal-led Harness has raised $150 million in debt financing All qualified applicants will receive consideration for employment without regard to race, color, religion, sex or national origin. Note on Fraudulent Recruiting/Offers We have become aware that there may be fraudulent recruiting attempts being made by people posing as representatives of Harness. These scams may involve fake job postings, unsolicited emails, or messages claiming to be from our recruiters or hiring managers. Please note, we do not ask for sensitive or financial information via chat, text, or social media, and any email communications will come from the domain @harness.io. Additionally, Harness will never ask for any payment, fee to be paid, or purchases to be made by a job applicant. All applicants are encouraged to apply directly to our open jobs via our website. Interviews are generally conducted via Zoom video conference unless the candidate requests other accommodations. If you believe that you have been the target of an interview/offer scam by someone posing as a representative of Harness, please do not provide any personal or financial information and contact us immediately at [Confidential Information]. You can also find additional information about this type of scam and report any fraudulent employment offers via the Federal Trade Commission's website (https://consumer.ftc.gov/articles/job-scams), or you can contact your local law enforcement agency.