Senior/Lead/Principal Application Security Researcher

About Salesforce

Salesforce is the #1 AI CRM, where humans with agents drive customer success together. Here, ambition meets action. Tech meets trust. And innovation isn’t a buzzword — it’s a way of life. The world of work as we know it is changing and we're looking for Trailblazers who are passionate about bettering business and the world through AI, driving innovation, and keeping Salesforce's core values at the heart of it all.

Ready to level-up your career at the company leading workforce transformation in the agentic era? You’re in the right place! Agentforce is the future of AI, and you are the future of Salesforce.

We are looking for a Senior/Lead/Principal Application Security Researcher with a strong offensive security and research mindset to lead the discovery, analysis, and remediation of critical and systemic application security vulnerabilities across our products and platforms.

This role goes beyond finding individual bugs - it focuses on identifying root causes, architectural weaknesses, and recurring security anti-patterns, and driving secure-by-default solutions that prevent entire classes of vulnerabilities in the future.

You will work as a trusted partner to engineering teams, influencing design decisions, improving security posture at scale, and raising the overall security maturity of our applications.

Key Responsibilities

• Lead offensive security assessments (manual testing, code review, architectural analysis, threat modeling) across complex application ecosystems.
• Discover critical, high-impact, and systemic vulnerabilities rather than isolated or one-off issues.
• Conduct security research to identify emerging attack vectors, abuse cases, and bypass techniques relevant to our applications and platforms.
• Partner closely with software engineers, tech leads, and architects to:
  • Clearly explain risk, impact, and exploitability.
  • Design and implement effective remediations.
  • Ensure fixes are scalable, maintainable, and aligned with engineering realities.
• Drive Secure by Default initiatives by:
  • Defining security guardrails, patterns, and baseline controls.
  • Eliminating insecure defaults and unsafe configurations.
  • Preventing future vulnerabilities through platform-level and framework-level changes.
• Influence application and platform design early in the development lifecycle to prevent vulnerabilities before they are introduced.
• Help shape security standards, best practices, and architectural guidance for application development.
• Mentor engineers and security team members, raising overall security awareness and offensive security skills.
• Collaborate with detection, monitoring, and incident response teams to improve visibility into real-world exploitation.

Required Qualifications

• 5+ years of deep experience in Application Security with a strong offensive mindset.
• Proven experience finding critical and systemic vulnerabilities in large-scale or complex applications.
• Strong understanding of:
  • Web application security (OWASP Top 10 and beyond).
  • Authentication & authorization flaws.
  • API security.
  • Injection attacks, logic flaws, access control bypasses.
  • Secure design and threat modeling.
• Hands-on experience with manual security testing (not relying solely on automated tools).
• Ability to translate complex security findings into clear, actionable guidance for engineers.
• Strong communication skills and experience working collaboratively with engineering teams.

Preferred Qualifications

• Published security research and CVEs, including technical blogs, advisories, whitepapers, and conference presentations.
• Experience driving platform-level or framework-level security improvements.
• Background in security research, vulnerability discovery, or red teaming.
• Experience influencing or leading Secure by Default / security-by-design initiatives.
• Familiarity with cloud-native architectures, microservices, and large distributed systems.
• Ability to balance security rigor with product velocity and developer experience.

Benefits & Perks

Check out our benefits site which explains our various benefits, including wellbeing reimbursement, generous parental leave, adoption assistance, fertility benefits, and more. Visit for the full

Open to Flex (1-3 days/week in the office), or Office-Based (4-5 days/week in the office)

Check out our Salesforce Engineering Blog

*IN SCHOOL OR GRADUATED WITHIN THE LAST 12 MONTHS? PLEASE VISIT FUTURE FORCE FOR OPPORTUNITIES*

Unleash Your Potential

When you join Salesforce, you’ll be limitless in all areas of your life. Our benefits and resources support you to find balance and be your best, and our AI agents accelerate your impact so you can do your best. Together, we’ll bring the power of Agentforce to organizations of all sizes and deliver amazing experiences that customers love. Apply today to not only shape the future — but to redefine what’s possible — for yourself, for AI, and the world.

Key skills/competency

• Application Security
• Offensive Security
• Vulnerability Research
• Threat Modeling
• Secure Design
• API Security
• Cloud-Native Security
• Code Review
• Red Teaming
• Security Architecture