Implement and tune runtime controls (e.g., behavioral detection, anomaly and abuse prevention, bot defense, schema enforcement, mTLS/OAuth validation, rate limiting, and threat response) across API gateways, service mesh, and edge layers.
Partner with engineering teams to define and promote secure API patterns (authentication/authorization, input validation, error handling, pagination, idempotency, versioning, and least-privilege access).
Provide practical guidance aligned to OWASP API Security Top 10 and modern design standards (Open API/JSON Schema).
Build automation that embeds API security into CI/CD (policy-as-code, automated checks against Open API specs, secrets scanning, SAST/DAST/API testing, and runtime-to-ticket workflows).
Develop dashboards and analytics using API telemetry and security findings to measure risk, adoption, control effectiveness, and program outcomes.
Help define governance for API inventories, ownership, classification, security requirements, exception handling, and control validation.
Work with product and platform teams to integrate security requirements into backlog planning, threat modeling, design reviews, testing, release readiness, and incident response.
Map controls and program outcomes to relevant industry frameworks and expectations (e.g., NIST, ISO 27001, PCI DSS, FAPI, and OWASP guidance).

5+ years related IT and cyber protection experience desired.
Strong foundation in API security concepts: authN/authZ (OAuth2/OIDC, JWT), session/token handling, scopes/claims, rate limiting, schema validation, and common API abuse patterns.
Practical experience with runtime protection in one or more of API gateways, WAF/WAAP, service mesh, ingress controllers, or specialized API security platforms.
Experience building automation in CI/CD and cloud-native environments (policy-as-code, scripting, pipelines, Git-based workflows).
Ability to use data and telemetry (logs, traces, metrics) to detect issues, tell a clear story, and drive priorities and working knowledge of secure software development and DevSecOps practices, and the ability to influence engineering outcomes through partnerships.
Comfort collaborating across security, SRE, platform, and application teams with clear communication, pragmatic decision-making, and strong follow-through.
Expert knowledge of and experience with maintaining cyber technologies that can protect operational API systems, such as: Traceable Salt Security NoName
Bachelor’s degree in computer science, or a relevant field, or an equivalent combination of education, work, and/or military experience.

API Security Engineer

Key skills