Lead Application Security Engineer at Ivo Inc

ABOUT IVO Ivo is an AI-powered contract intelligence platform built for in-house legal teams. Contracts are the foundation of all business, and we're building the AI-native platform that gets them signed and executed faster while surfacing the intelligence hidden inside every organization's library of agreements. We have a best-in-market product and are trusted by enterprise customers like IBM, Meta, Atlassian, Uber, Reddit, Pinterest, Canva, and CDW. We grew 6x in 2025 and are continuing to scale fast. THE ROLE We're hiring our first dedicated Lead Application Security Engineer to own the security of the Ivo platform end to end. You'll partner directly with our Head of IT & Security and embed deeply with engineering to harden the product our customers trust with their most sensitive contracts. This is a hands-on senior IC role with broad scope: hunting bugs in our web app and APIs, reviewing security-sensitive code, running our pen test and responsible disclosure programs, threat modeling new features, and shaping how we build secure software at Ivo from the ground up. Our platform handles legally privileged documents for some of the largest companies in the world. The security stakes are real, and so is the impact. RESPONSIBILITIES - Own application security across Ivo's web app, API surface, and the systems behind them. - Find and fix bugs. Hunt for vulnerabilities in our own product through hands-on testing, code review, and offensive-minded experimentation, and partner with engineers to ship the fix. - Lead manual code review for security-sensitive changes: authentication, authorization, multi-tenancy, integrations, and customer data handling. - Run threat modeling with engineering as new features and products are designed, across the full product surface including LLM and agent components. - Manage our pen test program and ad-hoc engagements end to end. Scope work, manage vendors, triage findings, and drive remediation to closure with engineering. - Run our responsible disclosure program, including researcher communications, validation, payments, and ongoing relationships with trusted external researchers. - Build and maintain our application security tooling: SAST, DAST, SCA, secrets detection, and IaC scanning, with a strong bias toward signal over noise. - Embed security into the SDLC: PR-time checks, security champions, design review gates, and secure-by-default patterns engineers actually want to use. - Conduct deep reviews of identity and access surfaces (Firebase Auth, WorkOS, SSO, SAML, SCIM, RBAC) and partner with product on customer-facing security features. - Investigate suspected security issues and lead application-layer incident response alongside engineering. - Contribute application security input to enterprise security reviews, SOC 2 Type II, ISO 27001, ISO 42001, and customer-facing trust documentation. - Mentor engineers on secure coding and be the go-to expert when teams have a security question. WHO YOU ARE - 4+ years in application security, product security, or offensive security at a SaaS company, including time owning security for a production platform. - Strong hands-on web application pen testing skills. You can find real bugs in real code, not just run scanners. - Deep experience reviewing code in TypeScript / Node and Python. You're comfortable reading and writing code, not just reviewing it. - Strong background in web application security: OWASP Top 10, auth and authorization design (OAuth, OIDC, SAML, SSO), multi-tenant isolation, and modern API security. - Practical experience with cloud security in GCP and Azure, plus container and Kubernetes security (AKS or similar). - Experience managing pen tests, bug bounty programs, or responsible disclosure programs end to end. - Track record of partnering with engineering rather than blocking them. You ship paved roads, not tickets. - Excellent written communication. You can write a Slack post that engineers actually want to read, a finding writeup that's genuinely actionable, and a security review that an enterprise prospect respects. - A strong internal sense of urgency and a bias toward shipping today rather than tomorrow. NICE TO HAVE - Experience securing AI / LLM features in production: prompt injection defenses, agent guardrails, and AI-specific threat modeling. - Series B or earlier experience where you built or scaled a security function from limited scaffolding. - OSCP, OSWE, or comparable hands-on offensive security credentials. - CVE credit, published research, or contributions to open-source security tooling. - Experience designing security as customer-facing product (SSO domain verification, SCIM, IP allowlisting, audit logging, RBAC). - Background supporting enterprise customers in regulated industries. WHY THIS ROLE MATTERS Ivo's customers entrust us with their most sensitive contracts. As we move further upmarket and into more regulated industries, the strength of our application security program is becoming a direct driver of enterprise revenue and a key differentiator at the deal table. This role owns the technical security of the product itself. The person who fills it will shape what "secure by default" means at Ivo for years to come. WHY JOIN IVO We are building a generational company. We can't overstate how much pain organizations have around understanding what's in their contracts. There have been no viable solutions for decades. Our engineers solved it, and we celebrate and reward high agency. You'll make an impact from day one, work alongside people who genuinely enjoy each other, and have a direct hand in how the category-defining product in enterprise contract intelligence is built and defended. COMPENSATION AND BENEFITS - Competitive Compensation: The USD base range for this role is $225,000 - $400,000 (+equity would be on top of this). Final offer details are determined based on experience, expertise, and overall fit. - Relocation and Visa Support: We also offer relocation assistance for successful applicants moving to SF, as well as support for visa and green card applications where applicable. - Medical benefits: Comprehensive medical, dental and vision plans to suit the needs of you and your family. - 401(k) Program: Plan for your future with access to our company-sponsored 401(k) program. - Commuter Benefits: We provide commuter benefits to help make getting to and from the office easier and more convenient. - Unlimited PTO: So you can take the time you need to recharge, stay healthy, and bring your best self to work. - Office Perks: Enjoy a vibrant Downtown San Francisco office with catered lunch provided five days a week, premium snacks and coffee, a gym located in the building, and a dog-friendly environment!