We're looking for a hands-on AI Data Scientist to push the frontier of AI in AppSec. You’ll lead the next wave of AI in AppSec: LLM‑first, agentic, and multi‑agent systems that reason over complex SDLC context and act with confidence. Your mandate is to architect, productionize, and ship intelligence to power OX’s risk detection, prioritization, and auto-remediation, owning the lifecycle from problem framing through A/B rollouts.

Responsibilities:

What You’ll Do

• Invent & Ship: Design and deploy end‑to‑end ML/LLM/Agentic solutions from ideation to production to power and enhance OX’s detection engines, including SAST, SCA, IaC, SBOMs.
• Scale, performance, and data strategy: Create durable memory & retrieval layers (RAG + knowledge graphs) and build robust pipelines (batch/stream) for large, heterogeneous data and context feeds for LLMs and AI Agents.
• Selective traditional deep learning: Apply graph learning, sequence models, and anomaly detection where LLMs aren’t the best fit (e.g., exploitability estimation on dependency graphs, CI/CD drift detection, log anomaly baselines).
• Developer & VibeCoding copilots: Create LLM-powered explainers and guided fixes (secure PR suggestions, policy-as-code generation, misconfig rationales) that speak the developer’s language, and secure developers’ MCPs / VibeCoding workflows (e.g., secure code generation).
• New detection engines: Code Security, OSS Packages/registry trust, detect dependency hijacks/typosquats/protestware, maintainer reputation systems, and enforce provenance (SBOM, attestations, Sigstore/in‑toto, SLSA).
• Evaluation that matters: Define golden sets and task-specific KPIs (precision/recall at fixed alert budgets, developer acceptance rate, time‑to‑signal, cost/scan) and instrument production feedback loops.
• Thought leadership: Share results internally and externally (tech blogs, OSS contributions, talks at AI/AppSec venues) to advance the state of the art.
  
  

Requirements:

What You’ll Bring

• 5+ years in applied ML/Data Science (or 3+ years plus advanced degree), including taking models to production in data/ML-heavy products.
• Track record of shipping LLM‑centric features (planning, tool use, retrieval, evaluation) or agentic/multi‑agent systems into production, ideally in developer or security products.
• Technical depth in ML/LLMs: Comfort across embeddings, transformers/LLMs, prompting strategies, RAG, few‑/fine‑tuning, evaluation at scale.
• Security domain fluency: Practical knowledge of ASPM/AppSec concepts—SAST, SCA, IaC, SBOM, CVEs/OSV, EPSS/CVSS, supply‑chain attacks, CI/CD systems, K8s/cloud basics.
• Product sense: Ability to translate ambiguous security problems into shippable ML roadmaps, ruthlessly prioritizing the metrics that affect developer workflows and risk reduction.
• Communication: Clear writing, crisp experiment design, and the ability to partner with product, research, and engineering stakeholders.