Application Security Engineer - Mid-Atlantic region (Remote in VA, MD, PA, NC, DE, NJ, or DC)

Description • Serve as the primary Application Security authority for Fortune 500 and public-sector clients across the Mid-Atlantic, delivering high-impact code reviews, threat-modeling workshops, and secure-SDLC programs that stop breaches before they reach production. • Own end-to-end security assessments of cloud-native, micro-service, and legacy monolith applications written in Java, .NET, Python, Node.js, Go, and React—leveraging both manual techniques and automated toolchains to uncover OWASP Top 10, business-logic flaws, and cryptographic weaknesses. • Translate complex vulnerability data into board-level narratives; produce executive briefings, risk-ranked remediation roadmaps, and developer-friendly fix guidance that shorten mean-time-to-remediate (MTTR) by 40 % on average. • Embed with DevOps squads to “shift left” security via CI/CD pipeline integration (GitHub Actions, Jenkins, Azure DevOps, GitLab) using SAST/DAST, container image scanning, Infrastructure-as-Code (Terraform, CloudFormation) linting, and policy-as-code guardrails that block insecure builds pre-merge. • Architect and deliver secure coding bootcamps, lunch-and-learns, and Capture-the-Flag events that upskill 200+ engineers per quarter, creating a self-sustaining security culture that reduces recurring bug classes by 60 % within two release cycles. • Build and customize detection rules for SCA, SAST, DAST, and container scanners (Snyk, Checkmarx, Veracode, Burp Enterprise, Prisma, Twistlock) to eliminate false positives and surface high-signal, context-rich findings that developers actually trust. • Perform threat modeling workshops using STRIDE, PASTA, and Kill-Chains on net-new product features, producing actionable abuse cases and control matrices that feed directly into sprint planning and architectural decision records (ADRs). • Lead red-team / purple-team exercises against critical apps, chaining vulnerabilities to demonstrate exploitability, then coach blue-team counterparts on detection logic, log source onboarding, and SOAR playbooks that shrink dwell time to minutes. • Evaluate and recommend AppSec platforms, budget allocations, and vendor shortlists; negotiate enterprise licensing that saves clients an average of 25 % while improving scanning coverage and API rate limits. • Contribute to GuidePoint’s research arm by publishing blogs, CVEs, conference talks, and open-source security tools that elevate the firm’s thought-leadership brand and directly influence product security roadmaps across the industry. • Maintain a deep understanding of FedRAMP, FISMA, PCI-DSS, HIPAA, SOX, and NYDFS regulations; map technical findings to specific control failures and assist QSA/auditor evidence collection to accelerate compliance cycles. • Collaborate with 200+ elite consultants across cloud, IAM, GRC, and offensive practices in a “one-team” culture—sharing scripts, lessons learned, and quality-review feedback that collectively raise the bar for client deliverables. • Utilize GuidePoint’s proprietary maturity frameworks to baseline client programs, benchmark against industry peers, and build multi-year transformation backlogs that secure budget and executive sponsorship for continuous improvement. • Operate 100 % remote from VA, MD, PA, NC, DE, NJ, or DC with zero travel requirements; enjoy flexible scheduling that empowers you to deliver results, not sit in traffic, while still accessing quarterly regional meetups for networking and training. Apply tot his job