Senior Application Security & DevSecOps Engineer
Mrbeastyoutube · NYC, SF, Chicago or Greenville, NC · Posted Jul 7, 2026
Apply on company site Track it in JobSkout
About Us
Beast Industries is a multifaceted media and entertainment company founded by Jimmy Donaldson, popularly known as MrBeast, the most watched person in the world. Renowned for revolutionizing digital content creation, Beast Industries encompasses a diverse portfolio of ventures that extend far beyond its origins on YouTube. With a mission to entertain, inspire, and create significant social impact, Beast Industries operates across various domains including digital media, philanthropy, consumer products, and innovative business initiatives. At Beast Industries, we believe in the transformative power of digital media and its potential to entertain, educate, and effect positive change. Our commitment to innovation, creativity, and philanthropy drives us to explore new frontiers, create unforgettable experiences, and build a legacy that inspires future generations.
Location: (On-site / Hybrid / Remote – NY, Bay Area, Chicago, Greenville)
Department: Technology
About The Role
This is a hands-on Application Security role, not a generalist security position. As Senior Application Security DevSecOps Engineer , you will own the security of our web and mobile applications and the APIs behind them — finding the vulnerabilities before anyone else does, running our offensive testing and bug bounty programs, and building security into the pipelines that ship our code.
You'll work close to the code. Our stack is heavily automated and developer-centric: a custom DSL layer governs how code reaches production, translating into Kubernetes and Terraform deployment tasks, and our backend leans on Kotlin and Gradle. You should be able to read and reason about production code, write your own tooling, and own the security of the build and release process end to end — not hand the hard parts to DevOps.
If you think like an attacker, are fluent in mobile and API internals, and want to own AppSec for products that millions of people use, this role is for you.
What You'll Do
Application Security (core)
Lead secure code review and threat modeling for web, mobile, and API surfaces, and drive secure-by-design practices with engineering teams.
Own the application vulnerability lifecycle — discovery, triage, severity, remediation guidance, and verification — and partner with engineers on durable fixes, not just findings.
Build internal AppSec tooling and lightweight security libraries that make the secure path the easy path for developers.
Mobile Application Security
Own security for our iOS and Android apps: secure local storage (Keychain / Keystore), certificate pinning, jailbreak/root and tampering detection, anti-reverse-engineering, and secure app-to-API communication.
Assess apps against OWASP MASVS / MASTG, and review third-party SDKs and dependencies for risk.
Perform mobile-focused testing with tooling such as Frida, objection, MobSF, Burp Suite, and static/dynamic RE tools.
Offensive Security Penetration Testing
Run internal penetration tests and red-team-style assessments against our apps, APIs, and supporting services.
Validate and weaponize findings to demonstrate real impact, then drive them to resolution.
Pressure-test authentication, authorization, session handling, and business-logic flows (OAuth/OIDC, GraphQL/REST, IDOR, privilege escalation).
Bug Bounty Program
Own and operate our bug bounty program (e.g., HackerOne / Bugcrowd): scope definition, researcher communication, triage, deduplication, severity, and payout coordination.
Close the loop by feeding bounty findings back into secure code review, threat models, and CI/CD checks so the same class of bug doesn't recur.
Track program health and report on trends, top vulnerability classes, and time-to-fix.
CI/CD Pipeline Security
Own the security posture of our CI/CD pipelines and deployment toolchain, including the custom DSL that translates to Kubernetes and Terraform.
Integrate and tune SAST, DAST, and dependency/SCA scanning (e.g., Semgrep, CodeQL) as meaningful, low-noise gates in GitHub Actions.
Implement secrets scanning, build/release integrity, artifact signing, and supply-chain controls (SBOMs, provenance).
Drive a security-focused cleanup of existing pipelines and automate the manual, one-off deployment steps that exist today.
What You Bring
Required Experience
8+ years focused on Application Security and/or offensive security (penetration testing, exploit development).
Strong software-development skills — you can read, write, and review production code rather than just operating tools. Experience with Kotlin and Gradle (and/or Swift/Android for mobile) is highly relevant to our stack; Python for automation and custom tooling.
Deep mobile application security expertise across iOS and Android: OWASP MASVS/MASTG, cert pinning, secure storage, anti-tampering/RE, and mobile testing tooling (Frida, objection, MobSF, Burp).
Hands-on penetration testing of web apps, mobile apps, and APIs, with the ability to demonstrate real e…