Application Security Engineer - Mid-Atlantic region (Remote in VA, MD, PA, NC, DE, NJ, or DC)

Description • Serve as the primary Application Security authority for Fortune 500 and public-sector clients across the Mid-Atlantic, delivering high-impact code reviews, threat-modeling workshops, and secure-SDLC programs that stop breaches before they reach production. • Own end-to-end security assessments of cloud-native, micro-service, and legacy monolith applications written in Java, .NET, Python, Node.js, Go, and React—leveraging both manual techniques and automated toolchains to uncover OWASP Top 10, business-logic flaws, and cryptographic weaknesses. • Translate complex vulnerability data into board-level narratives; produce executive briefings, risk-ranked remediation roadmaps, and developer-friendly fix guidance that shorten mean-time-to-remediate (MTTR) by 40 % on average. • Embed with DevOps squads to “shift left” security via bolthires/CD pipeline integration (GitHub Actions, Jenkins, Azure DevOps, GitLab) using SAST/DAST, container image scanning, Infrastructure-as-Code (Terraform, CloudFormation) linting, and policy-as-code guardrails that block insecure builds pre-merge. • Architect and deliver secure coding bootcamps, lunch-and-learns, and Capture-the-Flag events that upskill 200+ engineers per quarter, creating a self-sustaining security culture that reduces recurring bug classes by 60 % within two release cycles. • Build and customize detection rules for SCA, SAST, DAST, and container scanners (Snyk, Checkmarx, Veracode, Burp Enterprise, Prisma, Twistlock) to eliminate false positives and surface high-signal, context-rich findings that developers actually trust. • Perform threat modeling workshops using STRIDE, PASTA, and Kill-Chains on net-new product features, producing actionable abuse cases and control matrices that feed directly into sprint planning and architectural decision records (ADRs). • Lead red-team / purple-team exercises against critical apps, chaining vulnerabilities to demonstrate exploitability, then coach blue-team counterparts on detection logic, log source onboarding, and SOAR playbooks that shrink dwell time to minutes. • Evaluate and recommend AppSec platforms, budget allocations, and vendor shortlists; negotiate enterprise licensing that saves clients an average of 25 % while improving scanning coverage and API rate limits. • Contribute to GuidePoint’s research arm by publishing blogs, CVEs, conference talks, and open-source security tools that elevate the firm’s thought-leadership brand and directly influence product security roadmaps across the industry. • Maintain a deep understanding of FedRAMP, FISMA, PCI-DSS, HIPAA, SOX, and NYDFS regulations; map technical findings to specific control failures and assist QSA/auditor evidence collection to accelerate compliance cycles. • Collaborate with 200+ elite consultants across cloud, IAM, GRC, and offensive practices in a “one-team” culture—sharing scripts, lessons learned, and quality-review feedback that collectively raise the bar for client deliverables. • Utilize GuidePoint’s proprietary maturity frameworks to baseline client programs, benchmark against industry peers, and build multi-year transformation backlogs that secure budget and executive sponsorship for continuous improvement. • Operate 100 % remote from VA, MD, PA, NC, DE, NJ, or DC with zero travel requirements; enjoy flexible scheduling that empowers you to deliver results, not sit in traffic, while still accessing quarterly regional meetups for networking and training. Apply tot his job Apply tot his job