The Senior Engineering Manager, Application Security leads the teams responsible for Product Security, Vulnerability Management, and Security Assessments. This role is responsible for defining and executing the application security roadmap to protect member data (PHI) within a cloud-native environment, primarily AWS. The manager guides the team in building automated security solutions, maturing the secure SDLC, and partnering with engineering to embed security into the development process. This is a remote role reporting to the Chief Information Security Officer.
Responsibilities
- Manage, mentor, and grow the Application Security, Vulnerability Management, and Security Assessment teams, fostering a culture of engineering excellence and proactive security ownership.
- Define and execute the application security roadmap, directly contributing to our top priority of preventing PHI exposure.
- Serve as a technical leader and mentor, guiding the team's architectural decisions and fostering engineering excellence in languages like Go and Python.
- Evolve our secure SDLC through the strategic implementation of SAST, DAST, and SCA tooling, focusing on actionable results and a positive developer experience.
- Champion and guide the strategy for modern access control, including Just-In-Time (JIT) access and other least-privilege initiatives, in partnership with the Cloud Security team.
- Oversee key security programs including threat modeling, bug bounty, penetration testing, and vulnerability management.
- Partner with engineering and product leaders to ensure security and privacy are designed into our products from the very beginning.
Qualifications
- 8+ years of experience in security engineering, with at least 3+ years as a direct people manager leading security teams.
- A strong track record of building and scaling Application Security programs in cloud-native SaaS environments (AWS strongly preferred).
- Hands-on-keyboard proficiency in a modern programming language (e.g., Go, Python), with the ability to perform meaningful code reviews and guide technical architecture.
- Demonstrated success leading vulnerability management programs, from detection through remediation and verification.
- Deep experience with the tools and processes used to secure the SDLC, including SAST, DAST, SCA, and CI/CD pipeline integration.
- Proven ability to run effective threat modeling exercises for complex applications and services.
- Excellent communication skills, with the ability to articulate complex security risks and strategies to both technical and executive audiences.
- Experience securing platforms in a regulated healthcare environment and deep familiarity with HIPAA and HITRUST controls.
- Background in running external-facing security programs like bug bounty, responsible disclosure, or customer security reviews.
- Familiarity with Infrastructure as Code (IaC) principles and tools like Terraform, and an understanding of how they influence application security.
- Experience navigating compliance frameworks beyond healthcare, such as ISO 27001 or SOC 2.
Physical/Cognitive Requirements
- Capability to remain seated in a stationary position for prolonged periods.
- Eye-hand coordination and manual dexterity to operate keyboard, computer and other office-related equipment.
- Capability to work with leadership, employees, and members in an appropriate manner.
Pay
The United States new hire base salary target ranges for this full-time position are:
Zone A: $188,270 - $265,930 + equity + benefits
Zone B: $207,097 - $292,523 + equity + benefits
Zone C: $225,924 - $319,116 + equity + benefits
Zone D: $244,751 - $345,709 + equity + benefits
This range reflects the minimum and maximum target for new hire salaries for candidates based on their respective Zone. Below is additional information on Included Health's commitment to maintaining transparent and equitable compensation practices across our distinct geographic zones.
Starting base salary for you will depend on several job-related factors, unique to each candidate, which may include education; training; skills; years and depth of experience; certifications and licensure; our needs; internal peer equity; organizational considerations; and understanding of geographic and market data. Compensation structures and ranges are tailored to each zone's unique market conditions to ensure that all employees receive fair and great compensation package based on their roles and locations. Your Recruiter can share your geographic zone upon inquiry.
Benefits & Perks
In addition to receiving a great compensation package, the compensation package may include, depending on the role, the following and more:
Remote-first culture
401(k) savings plan through Fidelity
Comprehensive medical, vision, and dental coverage through multiple medical plan options (including disability insurance)
Paid Time Off ("PTO") and Discretionary Time Off (“DTO")
12 weeks of 100% Paid Parental leave
Family Building & Compassionate Leave: Fertility coverage, $25,000 for surrogacy/adoption, and paid leave for failed treatments, adoption or pregnancies.
Work-From-Home reimbursement to support team collaboration home office work
Your recruiter will share more about the salary range and benefits package for your role during the hiring process.
About Included Health
Included Health is a new kind of healthcare company, delivering integrated virtual care and navigation. We’re on a mission to raise the standard of healthcare for everyone. We break down barriers to provide high-quality care for every person in every community — no matter where they are in their health journey or what type of care they need, from acute to chronic, behavioral to physical. We offer our members care guidance, advocacy, and access to personalized virtual and in-person care for everyday and urgent care, primary care, behavioral health, and specialty care. It’s all included. Learn more at
includedhealth.com.
Included Health is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Included Health considers all qualified applicants with arrest or conviction records in accordance with the San Francisco Fair Chance Ordinance, the Los Angeles County Fair Chance Ordinance, and California law.
