Avalara is seeking a Principal Security Engineer to serve as a technical authority for enterprise security architecture, risk, and governance, with a primary focus on the safe and responsible use of AI across the business, as well as application and cloud risk that spans multiple domains.
The Principal Security Engineer plays a critical part in defining and enforcing security guardrails for internal and enterprise use of AI, including corporate tooling, workflows, and platforms, providing independent, senior-level security judgment on complex or high-risk security decisions, acting as a final reviewer and escalation point when enterprise or cross-functional risk is involved.
Operating outside of the engineering organization, this role partners closely with Security, IT, Product, Platform, Legal, Privacy, and Compliance teams, and provides consultative and escalation-based support to Engineering and Product Security teams when requested.
What Your Responsibilities Will Be
AI & Automation-Driven Security
Design and implement AI-powered security frameworks to enable adaptive, intelligent detection, prevention, and response capabilities across applications, cloud environments, and infrastructure.
Integrate machine learning and behavior analytics into threat detection pipelines to automate identification of anomalies, insider threats, and unknown attack patterns.
Lead development of predictive risk scoring engines using contextual telemetry, identity signals, and threat intel to prioritize and automate responses.
Architect autonomous security workflows using SOAR, LLM agents, and API integrations for a variety of use cases, particularly those that are considered "AI for Security orgs."
Prototype use cases for generative AI, such as automated threat summaries, vulnerability triage, security policy generation, and chatbot assistants for security engineering.
AI & Application Security
Provide principal-level application and AI security guidance to non-engineering teams, including IT, HR, Legal, Finance/Accounting and other business functions helping them understand and manage application and AI-related risk.
Partner with Avalara’s Product Security organization to adopt, support, and reinforce existing secure SDLC standards, tooling, and processes
Perform independent risk analysis and threat modeling for applications, platforms, and AI-enabled workflows that fall outside normal Engineering activities or require cross-domain review.
Serve as an escalation and second-line advisory resource for high-impact application and AI security risks, providing risk-based recommendations.
- Advise on secure design patterns for authentication, authorization, API security, and data protection, aligning recommendations with established practices and technology choices.
Support security assessments of AI-enabled product and internal features, contributing expertise in LLM threat modeling, abuse-case analysis, and emerging AI-specific risks, in coordination with Product Security and Engineering teams.
Cloud & Platform Security
- Define and review cloud security reference architectures across AWS, Azure, and GCP, with an emphasis on zero-trust principles and identity-driven access controls.
Partner with platform and infrastructure teams to harden preventive controls against cloud misconfiguration and drift.
Evaluate cloud security tooling and platforms, including AI-assisted capabilities, to improve visibility, prioritization, and operational efficiency while maintaining auditability and control.
- Serve as an escalation point for complex or high-impact cloud security risks, influencing remediation strategies and risk acceptance decisions.
Enablement & Governance
Mentor non-engineering teams on AppSec best practices and AI safety principles.
Define security metrics and dashboards to track effectiveness of AI and AppSec initiatives.
Contribute to Avalara’s broader AI governance efforts, ensuring responsible and secure use of AI in both platform and enterprise environments.
What You'll Need to be Successful
Bachelor's degree in Cybersecurity, Computer Science, AI/ML, or a related technical field.
10+ years of experience in security engineering, security architecture, or software engineering, with at least 5+ years in Application Security. Demonstrable experience applying AI/ML in cybersecurity is preferred.
Expertise in AppSec tools (Checkmarx, Veracode, Snyk, SonarQube, etc.) and integrating them into modern CI/CD workflows.
Hands-on experience building or integrating AI/ML pipelines for use in threat detection, anomaly detection, or predictive risk modeling.
Strong background in secure coding, microservices architecture, and defending APIs, web apps, and serverless environments.
Proficiency in Python or similar languages for scripting, data processing, and automation.
Familiarity with LLMs and generative AI platforms (e.g., OpenAI, Claude, Gemini) and their security implications.
Deep understanding of cloud-native technologies (Kubernetes, containers, serverless) and corresponding security controls. This includes general cloud security concepts as well (CSPM, CNAPP)
Ability to translate complex security and AI concepts to stakeholders across technical and non-technical roles.
Preferred Education or Certifications
- Master’s degree preferred
Certified Information Systems Security Professional (CISSP)
Certified Secure Software Lifecycle Professional (CSSLP)
Certified Cloud Security Professional (CCSP)
GIAC Cloud Security Automation (GCSA)
GIAC Web Application Penetration Tester (GWAPT)
GIAC Machine Learning & Artificial Intelligence (GMLE) (or equivalent)
Avalara is an AI-first Company
AI is embedded in our workflows, decision-making, and products. Success here requires embracing AI as an essential capability.
You’ll bring experience using AI and AI-related technologies, ready to thrive here.
You’ll apply AI every day to business challenges - improving efficiency, contributing solutions, and driving results for your team, our company, and our customers.
You’ll grow with AI by staying curious about new trends and best practices, and by sharing what you learn so others can benefit too.
How We'll Take Care of You
Total Rewards
In addition to a great compensation package, paid time off, and paid parental leave, many Avalara employees are eligible for bonuses.
Health & Wellness
Benefits vary by location but generally include private medical, life, and disability insurance.
Inclusive culture and diversity
Avalara strongly supports diversity, equity, and inclusion, and is committed to integrating them into our business practices and our organizational culture. We also have a total of 8 employee-run resource groups, each with senior leadership and exec sponsorship.
What You Need To Know About Avalara
We’re defining the relationship between tax and tech.
We’ve already built an industry-leading cloud compliance platform, processing over 54 billion customer API calls and over 6.6 million tax returns a year. Our growth is real - we're a billion dollar business - and we’re not slowing down until we’ve achieved our mission - to be part of every transaction in the world.
We’re bright, innovative, and disruptive, like the orange we love to wear. It captures our quirky spirit and optimistic mindset. It shows off the culture we’ve designed, that empowers our people to win. We’ve been different from day one. Join us, and your career will be too.
We’re An Equal Opportunity Employer
Supporting diversity and inclusion is a cornerstone of our company — we don’t want people to fit into our culture, but to enrich it. All qualified candidates will receive consideration for employment without regard to race, color, creed, religion, age, gender, national orientation, disability, sexual orientation, US Veteran status, or any other factor protected by law. If you require any reasonable adjustments during the recruitment process, please let us know.