TL;DR: We're seeking a deeply technical Application Security Engineer with 5+ years experience to embed within an engineering tribe and help secure Cloudsmith 2.0, the operating system for the modern software supply chain. We are ideally looking for someone who has previous experience as a software engineer, who then chose to specialise in security, and be able to earn trust in design, code, and architecture conversations with strong engineers.
About Cloudsmith
Cloudsmith is the world’s most powerful artifact management platform. Software organizations of all sizes rely on Cloudsmith to control and secure their software supply chains. Cloudsmith allows customers to manage curated private repositories that proxy public open-source software registries, providing a single source of truth that serves as the data plane and the control plane for managing build artifacts. Developers use these repositories as their trusted source for build artifacts. We support over 30 formats, including most popular languages, package managers, operating systems, and AI and container protocols.
We’re aimed at the enterprise, with built-in comprehensive security and advanced features for policy enforcement, integrations, and observability. Customers consider Cloudsmith to be critical infrastructure as a central part of their software build chain.
Cloudsmith is built by developers, for developers. We treasure the developer experience. The Tao of Cloudsmith expresses the values we live by every day. This is a special company, and now is a great time to join us.
The Role
As an Application Security Engineer, you'll report to the Head of Security and embed directly into one of our engineering tribes, working alongside the engineers building Cloudsmith 2.0.
This role is hands-on. We need someone who can read production code, threat-model real systems, push back on weak designs, follow a vulnerability across services and data stores, and write the tooling that makes secure-by-default the easy path.
You should be technical enough to contribute to design, code, and architecture discussions with senior and principal engineers, hold robust discussions on how to remediate risk and enable security tooling to keep us secure by default. You will be a diplomat who works with engineering to secure the full SDLC.
The work you do here doesn't just protect Cloudsmith. It transitively protects the millions of developers and downstream consumers who depend on artifacts flowing through us every day.
Required Experience, Qualities & Skills
Embedded Security Engineering
Review, advise, and de-risk current and upcoming work; partner with the Engineering Manager and Product Manager to bring security work into delivery cycles.
Lead threat modeling, secure design reviews, and security architecture conversations across distributed, cloud-native systems.
Perform secure code review across our Django/Python core, Celery workers, TypeScript/Node frontends, and supporting services, and coach engineers to do the same.
Report back to the Head of Security on risks, blockers, and emerging threats relevant to your tribe and the wider platform.
Secure Pipelines & Tooling
Build, tune, and operate SAST, DAST, SCA, secrets-scanning, and runtime security tooling
Make security feedback land in the developer loop, not in a quarterly report.
Harden APIs, container runtimes, IaC (Terraform), and CI/CD pipelines; design and review controls for tenant isolation across our AWS footprint.
Strengthen supply chain controls inside our product (provenance, signing, attestation, policy enforcement) and inside how we build and ship Cloudsmith itself.
Write production-quality code to build security automation, paved roads, and reusable libraries, not just configure vendor products.
Detection, Response & Programme
Conduct penetration testing and vulnerability assessment of services, infrastructure, and artifact pipelines; triage findings from internal testing, third-party pen tests, and responsible disclosure.
Extend our detection and response capability in DataDog, AWS Security Hub, and related tooling; act as a technical lead in security incident response, including red/blue exercises.
Support evidence collection and technical control work for our compliance programmes (SOC 2, ISO 27001, EU CRA, and emerging frameworks), in partnership with GRC.
Mentor engineers across the tribe and broader organisation, enabling our secure-coding standards and growing future security champions.
Help evaluate, select, and roll out new security tools and frameworks as we mature toward IPO-readiness.
Cultural Values We're Looking For
Build and break: You love both, and you love stopping bad actors from breaking the things you helped build.
Engineering-first security: Security should enable, not block. Strong opinions, loosely held, balanced with sound judgment.
Builder mindset: Close to the work, automating the boring stuff, occasionally shipping a 'sploity proof of concept to make the risk land.
High standards, low ego: Raise the bar while respecting the ideas and opinions of others.
Calm under pressure: Good judgment for incidents, ambiguity, and hard conversations.
Clear thinking: Turns messy problems into decisions and trade-offs.
Ownership: Cares that the team is healthy, the platform is safe, and customers can trust what we ship.
Impact & Opportunity
This role helps shape application security for a platform that is itself securing the software supply chain for organisations from startups to the Fortune 500.
AI is increasing the rate at which software is created and changed. Enterprises need stronger controls, better provenance, clearer trust decisions, and a faster path to delivery. You'll help build, harden, and operate the infrastructure that records, governs, and delivers software artifacts at scale, and make sure it stays trustworthy as we grow.
Growth & Development
This role is a strong fit for someone who wants to grow into principal-level depth in application security or supply chain security.
We're looking for someone who can do the work today, but who also wants to understand company strategy, architecture, product direction, and how a great security function is built, from Series C through public-company scale.
As the function grows, you'll have the opportunity to:
Shape our application security roadmap with the Head of Security and the CTO.
Help define how security engineers embed within engineering tribes long-term, including how we rotate, specialise, and grow principal-level depth.
Influence secure coding standards, paved roads, and tooling choices that affect every engineer at the company.
Mentor more junior security hires and help define the path from senior to principal security engineer at Cloudsmith.
Represent Cloudsmith externally, at conferences, in open source, in our security content, and with customers, as a credible voice in supply chain and application security.
Benefits, Location & Work Environment
Note: You must be based in Ireland or the United Kingdom and have the right to work independently without requiring sponsorship.
Headlines
A position based in Ireland or the United Kingdom.
A competitive compensation package, including equity.
With comprehensive health, dental, and vision insurance.
Plus, generous annual leave and flexible working policies to suit your lifestyle.
Including a professional development budget for conferences and training.
In a dynamic, innovative, trust-centric, and supportive work environment.
With the opportunity to shape a fast-growing Series B startup (and beyond).
Regular (monthly-ish) travel may be required for team meetings.
Regular (quarterly-ish) travel may also be required for events and customers.
Health and Wellness
Regardless of your location, we deeply care about the health and wellness of our staff and their families; a sustainable pace is important to us. In addition to generous annual leave (PTO), we offer health and wellbeing benefits along with flexible family-friendly working policies.
Personal Growth
You will have an enormous opportunity to learn new skills alongside your colleagues, and your continued professional development is essential to us because it's important to you. We will support you with budgets for equipment, training, books, conferences, travel, and certifications. The more powerful you become, the better for all of us.
Facilities
Cloudsmith is headquartered in Belfast, Northern Ireland, with fully-equipped office space that’s open 24x7. We use our H.Q. regularly for activities like working sessions, team planning, meets and greets, and sometimes other group activities (like games!). We also hold all-hands offsites in Belfast thrice yearly, with guest speakers and team activities. Many Cloudsmithers work remotely, so we rely on our online collaboration tools; Slack, Google Docs, Linear, and other popular collaboration tools are how we work.
About Equal Opportunity
Cloudsmith is an equal-opportunity employer proud to nurture a diverse workplace that welcomes applications from individuals of all races, genders, and ethnic groups. We do not discriminate on age, religion, sexual orientation, citizenship status, military service, or health conditions. We will not tolerate discrimination of any kind within our workforce.
The Final Word
We're looking for a software engineer at heart who chose to specialise in security, and who is now ready to bring around five years of application security craft to a company whose entire reason for being is securing the software supply chain.
You won't be alone. You'll join a small, senior, security-forward team alongside other security engineers, GRC, and IT Ops, all of us pulling on the same oar. Together, we'll define how a modern application security function supports secure, scalable growth at Cloudsmith on the road to IPO.
If that sounds like the boat you want to be in, apply.
