Principal Engineer — Product & Application Security
- Full-time
Company Description
Organizations everywhere struggle under the crushing costs and complexities of “solutions” that promise to simplify their lives. To create a better experience for their customers and employees. To help them grow. Software is a choice that can make or break a business. Create better or worse experiences. Propel or throttle growth. Business software has become a blocker instead of ways to get work done.
There’s another option. Freshworks. With a fresh vision for how the world works.
Freshworks Inc. builds uncomplicated service software that delivers exceptional employee and customer experiences. Our people-first approach to AI eliminates friction, helping businesses reduce complexity, lower cost-to-serve, and deliver faster, more human support through enterprise-grade yet easy-to-use CX and IT solutions. Nearly 75,000 companies, including Bridgestone, New Balance, Nucor, S&P Global, and Sony Music, trust Freshworks to power their Employee Experience (EX) and Customer Experience (CX) operations.
Fresh vision. Real impact. Come build it with us.
Job Description
We are looking for a Principal Engineer — Product & Application Security to be the top technical authority for how Freshworks builds secure software. As an IC6 Principal, you set the multi-year security technical vision for our products and platform, make the calls on our hardest security-architecture problems, and are the person the company relies on when the stakes are highest — across a multi-tenant SaaS estate serving 72,000+ customer accounts and hundreds of integrations.
As Freshworks evolves from a suite of service products into an AI-first system of business intelligence — with autonomous agents, a Knowledge and Context Graph, and a growing agentic surface — the security bar must rise with it. This role goes beyond leading individual reviews and remediations: you define the secure-by-design paradigms, reference architectures, and organization-wide standards that determine how thousands of engineers ship, and you drive the strategic bets (AI/agent security, supply-chain integrity, zero-trust data protection) that keep Freshworks ahead of the threat curve.
You will operate as a company-wide force multiplier — writing code and reference implementations, setting technical direction that outlives any single project, mentoring Staff and Senior Staff security engineers, and partnering directly with VP Engineering, the CISO organization, and product leadership to make security a durable competitive advantage.
Key Responsibilities
Security Technical Vision & Strategy
- Own the multi-year technical vision and architecture strategy for product and application security across all Freshworks products (Freshdesk, Freshservice, and the shared Platform), and drive alignment on it across engineering and the CISO organization
- Define the secure-by-design reference architectures, paradigms, and organization-wide standards (authN/authZ, tenant isolation, data protection, secrets, API security) that thousands of engineers build against
- Set the strategic security agenda for the AI-first platform — securing the AI Agent Platform, Knowledge/Context Graph, and agentic workflows — anticipating threat classes before they reach production
- Act as the final technical decision-maker and tie-breaker on the hardest, highest-risk security-architecture trade-offs
Product & Application Security Engineering
- Lead threat modeling and security design reviews for the most critical, cross-cutting, and highest-risk systems — including identity and access, the integrations/connector framework (300+ apps), and the agent runtime
- Set the standard for secure code review, manual and AI-assisted penetration testing, and vulnerability analysis; drive root-cause remediation strategies that eliminate whole vulnerability classes across the estate, not one bug at a time
- Architect and harden multi-tenant security controls: strict tenant isolation, authentication/authorization models, secrets management, data protection, and API gateway security
- Own the security design for AI/agentic features — prompt injection defense, tool-invocation authorization, non-human identity, and permission-scoped context access
Left-Shift & Secure SDLC at Scale
- Define the organization-wide, AI-assisted left-shift strategy: how SAST, DAST (e.g., Snyk), SCA/dependency scanning, secret detection, and IaC scanning are embedded across every CI/CD pipeline to catch issues before production
- Set the direction for security tooling, automation, and paved-road frameworks and libraries that make the secure path the default path — including code-component asset inventory (API/SBOM/RBAC/secrets/integrations) and secure-by-default product hardening
- Own the software supply-chain security strategy: centralized software artifact repository management (e.g., Sonatype Nexus), code artifact repository guardrails, and CI/CD pipeline hardening
- Establish secure coding standards, golden patterns, and guardrails; operationalize threat modeling and maturity models (SAMM) across the product portfolio; and define the security quality gates the whole org is measured against
Vulnerability Management & Incident Response
- Serve as the top technical escalation point for the most severe security incidents — leading investigation, containment strategy, and post-incident architectural hardening
- Set the risk-based prioritization framework for findings from internal testing, bug bounty, third-party pen tests, and researcher disclosures, and drive systemic fixes
- Shape the strategy for the bug bounty and responsible-disclosure program
Technical Leadership & Influence
- Act as the recognized top IC authority for product security — mentoring and multiplying Staff and Senior Staff engineers and security champions, and raising the security bar across the entire engineering organization
- Influence company-level strategy: advise VP Engineering, the CISO organization, and product leadership; represent Freshworks' product-security posture to enterprise customers, auditors, and (where appropriate) the external security community
- Drive cross-organizational security initiatives to completion through technical credibility and clarity — building consensus across many teams without formal authority
Security Domains You'll Set Direction On
You will be expected to provide deep technical direction — and roll up your sleeves — across the full product security roadmap, including:
- Compliance & trust enablement: internal and external pen testing (PCI vault, VAPT), Google CASA, TX-RAMP control validation, SDLC documentation control reviews, audit evidence, risk assessment prioritization, and new-product-introduction (NPI) security assessments
- Continuous security assessment & automation: DAST onboarding for public APIs and continuous-deployment integration, SCA bug triage, CI/CD environment assessment, continuous control monitoring, security scorecards, and anomaly-detection rule configuration
- Shift-security-left: code-component asset inventory (API/SBOM/RBAC/secrets/integrations), supply-chain attack prevention, threat-modeling operationalization, and product-security maturity models (SAMM)
- Product security features: step-up authentication for sensitive operations, SCIM/secure SAML, OIDC federated SSO, OAuth for APIs and third-party apps, secrets injection, customer data masking, field-level encryption, BYOK, DNSSEC, header hardening (CSP/X-Frame), IMDSv2, egress proxy enforcement, hardcoded-secret cleanup, IAM role right-sizing, SIEM audit-log integration, and SSPM tool integration
Metrics & Impact
- Define the security KPIs the organization is held to: reduction in high/critical findings reaching production, coverage of critical services by threat models, mean time to remediate, and adoption of secure-by-default frameworks
- Deliver a measurable, sustained reduction in exploitable risk across the entire product portfolio while improving — not slowing — engineering velocity
Qualifications
Professional Experience
- 12+ years in software engineering and/or security, with deep, sustained hands-on ownership of application/product security for production SaaS at enterprise scale
- Track record as a Principal-level (or equivalent) individual contributor whose technical vision and standards shaped an entire engineering organization — you have defined direction that outlived individual projects
- Deep experience securing multi-tenant, cloud-native SaaS platforms (ideally on AWS), including tenant isolation, authN/authZ, and API security at scale
- Demonstrated impact eliminating vulnerability classes and setting the security frameworks, reference architectures, or paved roads adopted org-wide
Technical Expertise
- Authoritative, current knowledge of application security anchored in OWASP frameworks — Web Top 10, API Security Top 10, ASVS, the LLM Top 10, and the newer OWASP Agentic AI Top 10 (the real-world attack classes targeting autonomous agents) — plus secure design patterns, authentication/authorization (OAuth 2.0, OIDC, SAML, SCIM), session management, and cryptography
- Mastery of threat modeling (e.g., STRIDE), secure code review, and both manual and AI-assisted penetration testing across web, API, and cloud surfaces
- Deep experience embedding security into CI/CD at scale: SAST, DAST (e.g., Snyk, Snyk Code), SCA, secret scanning, IaC scanning, artifact-repository management (e.g., Sonatype Nexus), and container/Kubernetes security aligned to the OWASP Kubernetes Top Ten (RBAC, workload isolation, supply-chain, and misconfiguration risks)
- Strong coding ability in one or more of Ruby, Java, Go, Python, or JavaScript/TypeScript — enough to build reference implementations and security tooling and to be credible in any code review
- Deep cloud security expertise (AWS preferred): IAM and role right-sizing, network/egress controls, KMS/secrets management, BYOK/field-level encryption, and infrastructure-as-code (Terraform/CloudFormation)
- Authoritative grasp of cryptographic and compliance standards relevant to enterprise SaaS — e.g., FIPS 140-2/140-3, PCI, SOC 2, ISO 27001, and Google CASA / TX-RAMP control frameworks
- Deep understanding of securing AI/LLM and agentic systems — including Claude and other LLM security concerns such as prompt injection, insecure tool use, model/data exposure, and non-human identity
Leadership & Influence
- Ability to set technical direction for and influence an entire engineering organization — and senior executives (VP/CISO) — through technical credibility and clear communication
- A genuine service-oriented, "make the secure path the easy path" mindset toward internal developers
- A multiplier: track record of growing Staff and Senior Staff engineers and building a durable security-champion culture across distributed teams
Nice to Have
- Deep experience securing ITSM, CX/CRM, or service-management products and their data models
- Recognized external contributions: open-source security projects, published research, CVEs, standards bodies, or conference talks (e.g., Black Hat, DEF CON, OWASP)
- Industry certifications such as OSCP, OSWE, GWAPT, CISSP, or equivalent (valued, not required)
- Experience defining or scaling bug bounty / responsible-disclosure programs
- Deep familiarity with modern AI/ML stacks — LLMs, embeddings, RAG pipelines, and agent frameworks (LangGraph, MCP, A2A) — and their security models
- Experience shaping compliance and audit programs (SOC 2, ISO 27001, FedRAMP, GDPR)
Additional Information
Please note this is a hybrid role with onsite expectations of 3x/week (Tues - Thurs) from our San Mateo, CA headquarters.
The annual base salary range for this position is $241,000 - $298,000. This role is also eligible for a target bonus.
Compensation is based on a variety of factors, including but not limited to location, experience, job-related skills, and level.
Freshworks offers multiple options for dental, medical, vision, disability, and life insurance. Equity + ESPP, flexible PTO, flexible spending, commuter benefits, and wellness benefits are also offered. Freshworks also offers adoption and parental leave benefits.
At Freshworks, we have fostered an environment that enables everyone to find their true potential, purpose, and passion, welcoming colleagues of all backgrounds, genders, sexual orientations, religions, and ethnicities. We are committed to providing equal opportunity and believe that diversity in the workplace creates a more vibrant, richer environment that boosts the goals of our employees, communities, and business. Fresh vision. Real impact. Come build it with us.
By clicking the link above or any third-party link within this posting, you are leaving this site and going to a third-party website where the third-party website's terms and privacy policy apply