Security Engineer
Security Engineer is an umbrella over several distinct hiring tracks — cloud security, application security (AppSec), network/infrastructure security, and detection & response — that share a common core but increasingly get judged on different things. In practice the job runs on a small number of levers: fluency in at least one major cloud platform (AWS shows up in roughly two-thirds of current postings, with GCP and Azure close behind), Python for scripting and tooling, and a default instinct to threat-model rather than just run a checklist. The "security cop who says no to everything" stereotype is largely wrong for how the job reads in real postings: the highest-leverage work is embedded partnership — reviewing PRs and designs, writing secure-coding guidance, and being judged on whether developers actually adopt what you build, not on whether the guardrails exist. And it's not primarily offensive hacking — pentesting and red-team work show up as a real specialization, not the default job. One thing that's shifted fast: securing AI and agentic systems (prompt injection, tool/MCP misuse, LLM-driven pipelines) is no longer a frontier-lab curiosity. It now shows up in roughly one in five current postings across fintechs, dev-tool companies, and infra shops alike, which makes it closer to a mainstream expectation than a niche specialty.
What matters most for this role
Threat modeling is named as an explicit, primary work product at the frontier (Anthropic's Staff+ posting includes 'threat modeling for AI systems' as core scope).
Anthropic's Staff+ posting lists 'ability to operate with high autonomy and ambiguity' as a minimum requirement, and threat modeling for AI systems 'whose risks fall outside existing frameworks' is an explicit job task.
Detection & Response sub-specialization centers on owning incident response; Anthropic's Staff+ posting names 'standard on-call for incident response' as a job requirement.
AppSec is embedded partnership: 'working closely with engineering teams,' consulting with developers/PMs on security standards, educating teams — explicitly not the 'security cop' stereotype.
Risk/vulnerability assessment and incident postmortems require crossing layers (app code, infra, adversary behavior) under real-time hypothesis-forming.
A day in this role
Expect a rotation between hands-on assessment and advisory work: reviewing architecture for a new service through a formal threat-modeling or design-review gate before it ships, and running vulnerability assessments across apps, cloud, and network — then tracking remediation to actual closure, not just filing the finding and moving on. On-call and incident response (detection, triage, containment, postmortem) show up as a named, formal rotation in a real minority of postings, and as a recurring responsibility well beyond that even outside dedicated detection-and-response titles. Application-security-leaning roles look like embedded partnership: pairing with developers, writing rules for tools like Semgrep, and getting judged on whether people actually use what you ship. Cloud- and infra-leaning roles spend more time on IAM hardening — least-privilege access reviews, SSO/identity provider integration, secrets management — and on wiring security scanning directly into CI/CD rather than gating it at the very end. A newer thread now cutting across all of it: threat-modeling AI and agentic product surfaces specifically, which about one in five postings call out by name as real, current scope rather than a hypothetical. At senior/staff/principal level, the job shifts from ticket-level work to owning a program area (detection engineering, product security) and mentoring other engineers, with translating compliance regimes (SOC 2, ISO 27001, PCI, NIST) into concrete engineering asks a constant undercurrent regardless of level.
Comp structure
Typical: $195K
Base-heavy with equity, tracking general software engineering comp discipline rather than a separate security pay scale. Real posted ranges from current listings span roughly $190K-$330K for senior-to-principal roles at companies like Stripe, Vercel, Sentry, CoreWeave, and Marqeta, with Staff+ postings at frontier AI labs reaching $320K-$485K. Worth knowing before you assume the number is fixed: the same title can pay very differently depending on track — one company's commercial-track Application Security Engineer role posts $135K-$200K, while its government-facing "Forward Deployed" security role posts $90K-$150K for comparable seniority, so defense/gov-contractor work is not automatically a shortcut to the higher bands. Entry-level security work (SOC analyst and similar feeder roles, not yet titled "security engineer") pays far less — commonly $70K-$85K — and the realistic path to "security engineer" titling and the higher bands above typically takes 5-8 years, not a fast bootcamp-to-six-figures jump.
▸ Data notes▾ Data notes
▸ Full compensation breakdown by level and company tier▾ Full compensation breakdown by level and company tier
Compensation by Company Tier
Total compensation (base + bonus + annualized equity) across five company tiers, at each career level. The same role pays very differently depending on where you take it.
security-engineer · total comp (base + bonus + annualized equity) · P25–P75 band, P50 median
Equity Reality Check
The guaranteed money (base + bonus) against the equity upside. Startup equity is illiquid — the equity figure is annualized paper value at vest, not cash in hand.
Examples of real job postings
snapshot from 2026-07-12Real postings from the research corpus behind this archetype. Click one to read the actual listing.
How to test this cheaply
Pick a system you already know well (a side project, or a service at work you have access to) and run a real threat-modeling pass on it — write down concrete attack paths, not just a generic checklist — and notice whether that exercise energizes you or feels like a chore.
Separately, most security-engineering paths run through a SOC-analyst or application-security on-ramp; shadowing a SOC analyst's shift, or pairing with an AppSec engineer to write and test a single Semgrep rule against a real codebase, is a low-cost way to see the entry-level reality (queue-driven triage, developer consultations, actual tool-writing) before committing to the multi-year path toward the senior comp figures above.
Do this role, or hire for it? Rate how much each trait actually matters. Role-holder and hiring-manager ratings are kept separate, and no single rating changes the model; ratings are aggregated with anti-gaming thresholds before they factor in.