Senior/Lead/Principal Application Security Researcher

To get the best candidate experience, please consider applying for a maximum of 3 roles within 12 months to ensure you are not duplicating efforts.

Job Category

Product

Job Details

About Salesforce

Salesforce is the #1 AI CRM, where humans with agents drive customer success together. Here, ambition meets action. Tech meets trust. And innovation isn’t a buzzword — it’s a way of life. The world of work as we know it is changing and we're looking for Trailblazers who are passionate about bettering business and the world through AI, driving innovation, and keeping Salesforce's core values at the heart of it all.

Ready to level-up your career at the company leading workforce transformation in the agentic era? You’re in the right place! Agentforce is the future of AI, and you are the future of Salesforce.

We are looking for a Senior/Lead/Principal Application Security Researcher with a strong offensive security and research mindset to lead the discovery, analysis, and remediation of critical and systemic application security vulnerabilities across our products and platforms.
 

This role goes beyond finding individual bugs - it focuses on identifying root causes, architectural weaknesses, and recurring security anti-patterns, and driving secure-by-default solutions that prevent entire classes of vulnerabilities in the future.

You will work as a trusted partner to engineering teams, influencing design decisions, improving security posture at scale, and raising the overall security maturity of our applications.

Key Responsibilities:

• Lead offensive security assessments (manual testing, code review, architectural analysis, threat modeling) across complex application ecosystems.

• Discover critical, high-impact, and systemic vulnerabilities rather than isolated or one-off issues.

• Conduct security research to identify emerging attack vectors, abuse cases, and bypass techniques relevant to our applications and platforms.

• Partner closely with software engineers, tech leads, and architects to:

• Clearly explain risk, impact, and exploitability.

• Design and implement effective remediations.

• Ensure fixes are scalable, maintainable, and aligned with engineering realities.

• Drive Secure by Default initiatives by:

• Defining security guardrails, patterns, and baseline controls.

• Eliminating insecure defaults and unsafe configurations.

• Preventing future vulnerabilities through platform-level and framework-level changes.

• Influence application and platform design early in the development lifecycle to prevent vulnerabilities before they are introduced.

• Help shape security standards, best practices, and architectural guidance for application development.

• Mentor engineers and security team members, raising overall security awareness and offensive security skills.

• Collaborate with detection, monitoring, and incident response teams to improve visibility into real-world exploitation.

Required Qualifications:

• Deep expertise in Application Security with a strong offensive / attacker mindset.

• Proven experience finding critical and systemic vulnerabilities in large-scale or complex applications.

• Strong understanding of:

• Web application security (OWASP Top 10 and beyond).

• Authentication & authorization flaws.

• API security.

• Injection attacks, logic flaws, access control bypasses.

• Secure design and threat modeling.

• Hands-on experience with manual security testing (not relying solely on automated tools).

• Ability to translate complex security findings into clear, actionable guidance for engineers.

• Strong communication skills and experience working collaboratively with engineering teams.

Preferred Qualifications:

• Published security research and CVEs, including technical blogs, advisories, whitepapers, and conference presentations.

• Experience driving platform-level or framework-level security improvements.

• Background in security research, vulnerability discovery, or red teaming.

• Experience influencing or leading Secure by Default / security-by-design initiatives.

• Familiarity with cloud-native architectures, microservices, and large distributed systems.

• Ability to balance security rigor with product velocity and developer experience.

Benefits & Perks:

Check out our benefits site which explains our various benefits, including wellbeing reimbursement, generous parental leave, adoption assistance, fertility benefits, and more. Visit for the full

Open to Flex (1-3 days/week in the office), or Office-Based (4-5 days/week in the office)

Check out our Salesforce Engineering Blog

*IN SCHOOL OR GRADUATED WITHIN THE LAST 12 MONTHS? PLEASE VISIT FUTURE FORCE FOR OPPORTUNITIES*

Unleash Your Potential

When you join Salesforce, you’ll be limitless in all areas of your life. Our benefits and resources support you to find balance and be your best, and our AI agents accelerate your impact so you can do your best. Together, we’ll bring the power of Agentforce to organizations of all sizes and deliver amazing experiences that customers love. Apply today to not only shape the future — but to redefine what’s possible — for yourself, for AI, and the world.

Accommodations

If you require assistance due to a disability applying for open positions please submit a request via this Accommodations Request Form.

Posting Statement

Salesforce is an equal opportunity employer and maintains a policy of non-discrimination with all employees and applicants for employment. What does that mean exactly? It means that at Salesforce, we believe in equality for all. And we believe we can lead the path to equality in part by creating a workplace that’s inclusive, and free from discrimination. Know your rights: workplace discrimination is illegal. Any employee or potential employee will be assessed on the basis of merit, competence and qualifications – without regard to race, religion, color, national origin, sex, sexual orientation, gender expression or identity, transgender status, age, disability, veteran or marital status, political viewpoint, or other classifications protected by law. This policy applies to current and prospective employees, no matter where they are in their Salesforce employment journey. It also applies to recruiting, hiring, job assignment, compensation, promotion, benefits, training, assessment of job performance, discipline, termination, and everything in between. Recruiting, hiring, and promotion decisions at Salesforce are fair and based on merit. The same goes for compensation, benefits, promotions, transfers, reduction in workforce, recall, training, and education.