Role Overview
Mercor is hiring a mid-level Security Engineer, Application Security. This is a full-time role in San Francisco or NYC. Part of Mercor's Lifecycle hiring. Full responsibilities, required qualifications, and the apply link are listed in the description below.
Salary Context
Salary is not disclosed in this posting. Market median for Mid-level Lifecycle roles is $100k-$130k (based on 64 comparable listings). Many employers share specifics during the interview process or after an initial screen.
Resume Keywords to Include
Make sure these keywords appear in your resume to improve ATS scoring
Job description
ABOUT MERCOR
Mercor's mission is to organize human intelligence to power the AI economy. We partner with leading AI labs and enterprises to provide the human intelligence essential to AI development. Our vast talent network trains frontier AI models in the same way teachers teach students: by sharing knowledge, experience, and context that can't be captured in code alone. Today, more than 30,000 experts in our network collectively earn over $3 million a day.
Mercor is creating a new category of work where expertise powers AI advancement. Achieving this requires an ambitious, fast-paced and deeply committed team. You’ll work alongside researchers, operators, and AI companies at the forefront of shaping the systems that are redefining society. Mercor is a profitable Series C company valued at $10 billion. We work in-person five days a week in our San Francisco, NYC, or London offices.
You'll own application security at a company where the app layer is the highest-priority security surface. This is not a scan-and-triage role. You'll embed in the development lifecycle, review code for exploitable flaws, build security tooling into CI/CD, and drive vulnerability remediation across a platform serving 300K+ experts and enterprise clients processing sensitive AI training data.
We use AI heavily in our own security work. You should be comfortable building alongside AI code-gen tools, using LLMs to accelerate code review and threat modeling, and automating away the repetitive work that slows AppSec programs down. If you'd rather write a CodeQL query than file a Jira ticket, you'll fit in here.
We're in-person five days a week at our SF headquarters, with first Fridays remote.
WHAT YOU'LL BUILD:
- Security review workflows embedded in the SDLC - PR-level analysis that catches auth bugs, injection flaws, and business logic errors before they ship
- SAST/DAST pipelines integrated into CI/CD - shifting security left without slowing down deploys
- Vulnerability management processes that prioritize by real exploitability, not CVSS score
- Secure coding standards and guardrails that make the safe path the easy path for 50+ engineers
- Threat models for new features and architecture changes - especially around AI data pipelines, payment flows, and multi-tenant boundaries
- Bug bounty program operations - triaging HackerOne reports, validating findings, and driving fixes to closure
WHAT WE'RE LOOKING FOR
- You've found and fixed real vulnerabilities in production applications - not just run scanners
- Deep understanding of web application security: OWASP Top 10 is baseline, you think in terms of attack chains and business logic flaws
- Strong in at least one of Python, TypeScript, or Go - you can read a PR and spot the auth bypass
- Experience building or tuning SAST/DAST tooling (Semgrep, CodeQL, Snyk, Burp, or similar)
- You understand modern web frameworks, APIs, and authentication patterns well enough to threat model them
- Experience managing a vulnerability pipeline - from discovery through prioritization to verified remediation
- 5+ years of professional experience in application security, security engineering, or software engineering with a strong security focus
BONUS POINTS
- Experience running or triaging a bug bounty program (HackerOne, Bugcrowd)
- Offensive security skills - you've done penetration testing and can think like an attacker
- Experience securing AI/ML applications - model serving APIs, training data pipelines, prompt injection defense
- Familiarity with supply chain security - dependency scanning, registry firewalls (Socket, Snyk)
- You've built custom security tooling that a team still uses
- Contributions to open source security projects or published vulnerability research
WHY MERCOR
- The problem is real. Application security at scale is hard - you'll build defenses that matter across a fast-moving platform.
- AI-native AppSec. You'll use frontier AI tools daily - for code review, vulnerability analysis, and anything that benefits from an AI co-pilot.
- Ownership from day one. You'll own the entire application security domain - from code review processes to CI/CD security to bug bounty operations.
- See the future early. Working alongside AI labs means you'll understand frontier model capabilities months before the market.
Benefits
- Bi-annual performance bonus structure
- Generous equity grant vested over 4 years
- Up to $15k Relocation bonus
- $10K housing bonus (if you live within 0.5 miles of our office)
- $1.5K monthly stipend for meals
- Free Equinox membership
- $200 monthly laundry reimbursement
- $200 monthly personal wellness reimbursement
- Health, Dental, Vision insurance
About Mercor

Mercor
mercor.com
74 other open roles at Mercor on TryApplyNow.
Frequently Asked Questions
How do I apply for the Security Engineer, Application Security position at Mercor?
Use the Apply button above to submit your application directly to Mercor. Most applications take less than 5 minutes if your resume and contact details are ready, and you'll be routed to the employer's official application system to finish.
Where is the Security Engineer, Application Security position at Mercor located?
This position is based in San Francisco or NYC. Mercor has not indicated remote or hybrid options for this role, so candidates should plan for on-site work.
What does a Security Engineer, Application Security at Mercor earn?
Mercor has not disclosed a salary range in this posting. Many employers share specifics later in the interview process; you can also ask during a recruiter screen if compensation transparency is important to you.
When was the Security Engineer, Application Security role at Mercor posted?
This role was posted on April 15, 2026 (85 days ago). It's still listed as actively hiring; we re-confirm openings against the source system multiple times per day and remove closed roles.
Similar Jobs
Director, Corporate Purpose & Learning
Sandisk
Adversarial Security Test Engineer
Sandisk
Senior Product Manager – Software & Consumer Hardware
Sandisk
Technical Program Manager – Semiconductor & Memory Test Solutions
Sandisk
Billing Team Lead - North America
Sia
More Jobs at Mercor
View all →AI-powered job search
Get every job scored to your resume
Upload your resume and get jobs ranked, your resume tailored, and employee contacts found automatically.
Get started freeNo credit card to start