Sr. Security Engineer

ButterflyMX
ButterflyMX

Software Engineering

United States · Remote

Posted on Jul 8, 2026

Our Mission
ButterflyMX is on a mission to empower people to automate property access, operations, and security from a single platform. Our products are installed in more than 20,000+ multifamily, commercial, gated communities, and student-housing properties worldwide, including properties developed, owned, and managed by the most trusted names in real estate. Our features are designed for developers, owners, property managers, and tenants, and our products lower operating costs and improve tenant satisfaction.

Our Solution
Developers and owners no longer need to run building wiring or install in-unit hardware. Property managers can grant building access, revoke permissions, and review entry logs from an online dashboard. Residents can open doors from their smartphones, issue visitor access, and see who is trying to enter the building.

Our Culture & Values
Fantastic people are the key to our success. As a distributed, primarily remote workforce, we’re looking for more intelligent, passionate, collaborative, ai-forward, and down-to-earth individuals to join our growing team. We’re driven by a shared commitment to excellence and innovation, grounded in our core values: We delight our customers, We take ownership, We are a community of collaborators, We speak up, We think big and do small, and We are tenacious.

Role Overview

ButterflyMX is looking for a Senior Security Engineer to join our growing security team. In this role you will drive application security across the full software development lifecycle — from threat modeling and secure code review to penetration testing and vulnerability management. You will build the internal tooling that powers the “defender’s loop” and scales security. You will partner with product teams to embed security into the development lifecycle and ensure reusable secure patterns. You will partner closely with engineering to build security in from the start, while also owning our active testing program to identify and remediate vulnerabilities before adversaries do. You will be the person engineers come to for clear and practical answers. This is an individual contributor role reporting directly to the CISO. You will help shape our security program as an early, senior hire.

Responsibilities

  • Lead application security reviews, threat modeling sessions, and secure code review for new features and significant product changes.

  • Operate and continuously improve SAST, DAST, and SCA tooling; triage and prioritize findings in partnership with engineering teams to harden the codebase.

  • Plan and execute internal penetration tests against web applications, APIs, and mobile clients; coordinate and support third-party assessments.

  • Own the vulnerability management lifecycle from discovery, prioritization, remediation tracking, through to validation.

  • Develop and maintain secure coding standards, developer security guidance, and training materials.

  • Integrate security tooling into CI/CD pipelines and champion shift-left security practices across the SDLC.

  • Investigate security incidents and bug bounty submissions; provide root cause analysis and remediation recommendations.

  • Partner with Product and Engineering on security architecture decisions for new product capabilities.

  • Stay current on emerging threats, CVEs, and attack techniques relevant to our technology stack and support continuous program improvement.

Requirements

  • 5+ years of experience in application security, with hands-on proficiency in both secure development lifecycle practices and offensive testing.

  • Strong understanding of web application and API security fundamentals (OWASP, MITRE, CIS, API-specific attack surfaces).

  • Experience operating SAST/DAST/SCA ASPM tools.

  • Fluency in scripting or development languages (Python, JavaScript, Go, Ruby, or similar) sufficient to review code and write internal tooling.

  • Experience designing and executing penetration tests against modern web and mobile applications.

  • Familiarity with cloud security (AWS preferred, some GCP and OVH) and container/Kubernetes security.

  • Comfortable in a regulated environment (e.g., SOC 2 or similar).

  • Excellent written and verbal communication skills; able to translate technical risk to non-technical stakeholders.

  • Relevant certifications a plus: OSCP, GWAPT, GPEN, CEH, or equivalent.

  • Proven experience with leveraging AI tools in both professional and personal settings. ButterflyMX is an AI-forward organization and the ability to optimize efficiency using AI is crucial in every role. Can you use LLMs to build a threat model (bootstrap from the code, docs, and vulnerability history, entry points, git history, etc. and leverage Shostack’s four questions); to build an isolation layer to run agents safely and verify exploitability matched to the threat model; to partition the search space and leverage SAST scanners or fuzzers; to filter out non-exploitable findings and triage for patch priority; and, to rate the severity based on reachability, attacker control, preconditions, authentication, read vs write, and blast radius.

Benefits

  • Comprehensive Medical, Dental and Vision plans (ButterflyMX covers 80% of the cost) starting day 1

  • 401(k) plan with a match

  • 10 paid holidays, 20 vacation days, 5 sick days, 3 floating holidays

  • Basic Life and Accidental Death and Dismemberment Insurance (ButterflyMX covers 100% of the cost)

  • Short and Long Term Disability (ButterflyMX covers 100% of the cost)

  • Paid Family Leave

  • Employee Assistance Program

  • Quarterly self-care stipends

  • Access to optional benefits including pre-tax flexible healthcare spending accounts (FSA and HSA), Dependent Care FSA, and Commuter Benefits, as well as optional Supplemental Life, AD&D, Hospital Indemnity, Legal, Accident, Critical Illness, Pet, and Personal Liability Insurance

  • And more!

ButterflyMX is an equal opportunity employer and we value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. You must have the authorization to work in the US to become an employee. We strive to create an accessible and inclusive experience for all candidates and employees. If you need reasonable accommodations during the application or the recruiting process, please let our recruiting team know.