Senior Security Researcher - AI Team

Cycode is an agentic application security company. AI writes the code - we secure and govern it. We bring together control, context, and autonomy to keep AI-driven development safe across the entire development lifecycle: code, secrets, dependencies, infrastructure-as-code, containers, and the CI/CD pipelines that tie them together - unified by our Context Intelligence Graph and a growing fleet of AI agents that fix risk at machine speed.

Our AI Research team builds the agents at the heart of that autonomy, and our work ships straight into the product: the Exploitability Agent that confirms whether a CVE is actually reachable, the Remediation Agent that generates PR-ready fixes with reasoning, the Graph Agent for natural-language queries over the development lifecycle, and Maestro - the AI teammate that orchestrates them across the vulnerability lifecycle. We're moving fast, and we want a security expert at the center of it.

About the role:

We're hiring a Senior Security Researcher to be the security authority behind our AI agents, and the person who decides what "good" means. As our agents take on more of the security workflow, the hardest question stops being "can we build it?" and becomes "is the agent actually right?" Answering that takes someone who understands how vulnerabilities are found, exploited, and remediated at a deep level, and who can turn that judgment into rigorous, repeatable benchmarks the whole team builds against. You'll own those benchmarks. You'll encode your security expertise directly into the agents - the guidelines, heuristics, and domain knowledge they reason with, and guide how they improve over time. You'll help us understand the real complexity behind the features we want to build, and break them into deliverable pieces. And you'll do it with a genuine appetite for experimental AI - comfortable getting your hands dirty with frontier models and agent tooling, not intimidated by it.

What you'll do:

• Own our benchmarks and evaluations. Define what "correct" and "high quality" mean for AI agents that detect, prioritize, and remediate security issues. Build and maintain the benchmark datasets, scoring methods, and ground truth that the team measures itself against - and keep raising the bar.
• Guide how our agents get better. Dig into where agents fail - false positives and negatives, bad or unsafe fixes, missed exploitability, wrong prioritization - and translate that into concrete improvements to prompts, tools, data, and agent design alongside engineers.
• Be the security ground truth. Bring deep, hands-on AppSec judgment to bear on agent outputs: threat-model the edge cases, label the hard examples, and think adversarially about where an autonomous security agent could be confidently wrong.
• Scope and decompose new features. Assess the security complexity and feasibility of new capabilities we want to build, explain the risks and trade-offs clearly, and help break ambiguous, research-heavy problems into small, shippable deliverables.
• Be our early adopter of experimental AI. Stay on the frontier of models, agent techniques, and tooling. Test what's new, figure out what's real, and bring the useful parts back into the team.
  
  

• Deep, hands-on application security or vulnerability research experience - you understand how vulnerabilities across SAST, SCA, secrets, IaC, and containers are discovered, exploited, and fixed, and you can tell a real finding from a false one.
• The judgment to act as human ground truth: given an agent's finding or fix, you can authoritatively say whether it's correct, and why.
• A measurement mindset - comfort defining metrics, building evaluation datasets, and reasoning rigorously about quality rather than relying on gut feel.
• A real appetite for AI: hands-on experience with LLMs and/or AI agents, prompt engineering, and a willingness to work with experimental, fast-moving tooling without being thrown by it.
• Strong communication - you can explain complex security topics to engineers and PMs, and break big problems into clear, ordered pieces of work.
• Coding literacy: comfortable reading code across languages and scripting (e.g. Python) to build evals and analyze results.
  
  

• Experience building or evaluating LLM/agent systems, or working with eval frameworks.
• Offensive security background - pentesting, exploit development, CTFs.
• Detection engineering / security rule authoring.
• Published research, CVEs, or conference talks.
• Familiarity with ASPM, SAST, or SCA tooling from the building or operating side.