Security Engineer II - Threat Modeling & AI

Sec Eng at Uber means building for real-world impact under real-world constraints. As Uber rapidly adopts AI and agentic workflows, we must ensure this evolution is secure by design. We are looking for a hands-on Security Engineer to red team this emerging surface area, identify critical vulnerabilities across agents and tools, and drive the engineering changes necessary to mitigate them.

This role isn't just about finding bugs; it's about navigating the messy reality of high-stakes, fast-moving AI adoption. You will need to move from deep technical architectures to leadership-level risk discussions, often pushing back on designs with imperfect information. If you are a resilient problem-solver who enjoys unblocking teams while maintaining a high security bar, you will thrive here.

What You'll Do

• Red team AI agents and developer tools to identify vulnerabilities, creating reproducible PoCs and clear mitigation paths for engineering teams.
• Translate complex standards like the OWASP Top 10 for LLMs into Uber-specific reference architectures and enforceable security controls.
• Drive findings through to completion by partnering across disciplines-including engineering, legal, and external vendors-to land fixes in a fast-paced environment.
• Scale your security testing by building automated evaluation harnesses and AI-driven regression coverage to keep pace with rapid deployment.
• Communicate residual risk to non-technical stakeholders and leadership, translating technical debt into actionable business decisions.
• Own the security bar for agentic workflows and vendor onboarding, ensuring that guardrails are integrated into the developer experience from day one.

• Senior/Staff seniority in a Security Engineer role, specifically within threat modeling or security architecture.
• Proficiency in Python or Go, with the ability to write modular, high-quality code and pass a technical coding interview.
• Experience performing offensive security testing and identifying architectural gaps in distributed systems (microservices, APIs, or cloud infrastructure).
• Demonstrated knowledge of AI-specific security risks, including OWASP Top 10 for LLM or Agentic Applications.
• Bachelor's degree in Computer Science, a related technical field, or equivalent practical experience.

• Experience securing developer ecosystems, no-code platforms, or sandboxed execution environments.
• Proven track record of influencing cross-functional teams to implement security changes without direct authority.
• Experience building policy-as-code or automated security gates for model and tool onboarding.
• Ability to synthesize complex findings into leadership-ready recommendations that drive strategic business shifts.
• Hands-on experience with MCP-style tool calling and agent integrations.