Application Security Engineer

Heartflow is a medical technology company advancing the diagnosis and management of coronary artery disease, the #1 cause of death worldwide, using cutting-edge technology. The flagship product—an AI-driven, non-invasive cardiac test supported by the ACC/AHA Chest Pain Guidelines called the Heartflow FFR CT Analysis—provides a color-coded, 3D model of a patient’s coronary arteries indicating the impact blockages have on blood flow to the heart. Heartflow is the first AI-driven non-invasive integrated heart care solution across the CCTA pathway that helps clinicians identify stenoses in the coronary arteries (RoadMap™Analysis), assess coronary blood flow (FFR CT Analysis), and characterize and quantify coronary atherosclerosis (Plaque Analysis). Our pipeline of products is growing and so is our team; join us in helping to revolutionize precision heartcare. Heartflow is a publicly traded company (HTFL) that has received international recognition for exceptional strides in healthcare innovation, is supported by medical societies around the world, cleared for use in the US, UK, Europe, Japan and Canada, and has been used for more than 500,000 patients worldwide. We are looking for an Application Security Engineer to work with our engineering team to ensure security is an integral part of our Software Development Lifecycle (SDLC). In this role, you’ll have the chance to use your security and software development background to protect patients as we build products that leverage AI to improve healthcare. If you enjoy working with talented engineers to solve complex technical challenges and want to see your work make a direct difference in patient outcomes, we encourage you to apply. This role is a hybrid, requiring three days a week in our San Francisco office. What You’ll Do: Partner with the engineering team to provide hands-on technical guidance to software developers throughout the vulnerability remediation lifecycle. Perform secure code reviews, validate false positive determinations, coach developers on effective remediation strategies, threat model our products and carry out essential parts of a secure SDLC. Drive vulnerability identification using SAST, DAST, SCA and in-house AI tooling and manage external penetration testing. Support engineering team on vulnerability management, including risk assessment, remediation, improving identification of vulnerabilities and translate security and privacy requirements into technical requirements. Build security awareness through training on secure coding practices, security standards and latest security threats. What You Bring: Security Communication – Ability to reason about risk in complex environments and communicate that risk to technical and non-technical audiences. Experience leading training, speaking internally/externally about security projects valued. Programming Skills – Experience writing and maintaining code in at least one modern programming language and with at least one scripting language (Heartflow uses C++/Python). Comfortable with testing frameworks and CI/CD pipelines. AI Development Tools – Experience using AI code tools such as Claude Code and Github Copilot for development and security testing. Education & Experience – BS in Computer Science (or related degree) or relevant certifications and equivalent experience. 5+ years of total experience with at least 1 year working in Application Security or performing security tasks in a development role. Securing SDLC – Have contributed to secure SDLC activities, including threat modeling, code review, security testing and vulnerability management. Knowledge of Modern AI Security Threats – Experience working with or ability to discuss current AI threats for both machine learning and generative AI. What Helps You Stand Out: Healthcare Experience – Current knowledge of HIPAA, HITRUST and the complexities of working in a regulated environment. Experience with Software as a Medical Device (SaMD) is especially valuable. Infrastructure as Code & Cloud – Familiarity with AWS (or equivalent cloud providers) and configuration tools (Terraform, Chef, Ansible). Experience with containerization (Docker, Kubernetes) and orchestration (GitHub Actions or similar). A reasonable estimate of the base salary compensation range is $145,000 to $180,000 per year, bonus, and equity. #LI-IB1 Heartflow is an Equal Opportunity Employer. We are committed to a work environment that supports, inspires, and respects all individuals and do not discriminate against any employee or applicant because of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, veteran status, or any other status protected under federal, state, or local law. This policy applies to every aspect of employment at Heartflow, including recruitment, hiring, training, relocation, promotion, and termination. Positions posted for Heartflow are not intended for or open to third party recruiters / agencies. Submission of any unsolicited resumes for these positions will be considered to be free referrals. Heartflow has become aware of a fraud where unknown entities are posing as Heartflow recruiters in an attempt to obtain personal information from individuals as part of our application or job offer process. Before providing any personal information to outside parties, please verify the following: A) all legitimate Heartflow recruiter email addresses end with “@heartflow.com” and B) the position described is found on our careers site at www.heartflow.com/about/careers/ .

{
  "content_hash": "4223ac966de2da894a197af1f21e1af19ef9e4430a216efab1eae50825415e97",
  "source_hash": "f370864caf33ac499335960640e53e538080d500a3d8e0b21248ba0717d03b79",
  "last_changed_at": "2026-05-29T22:59:57.632Z",
  "active_status": "active"
}

{
  "language": "en",
  "location": {
    "raw": "San Francisco, California",
    "city": "San Francisco",
    "region": "CA",
    "country": "United States",
    "is_remote": false,
    "confidence": 0.85
  },
  "salary_max": 180000,
  "salary_min": 145000,
  "inferred_at": "2026-06-06T07:33:49.018Z",
  "launch_scope": {
    "reason": "english_us_canada",
    "included": true,
    "language": "en",
    "location": {
      "raw": "San Francisco, California",
      "city": "San Francisco",
      "region": "CA",
      "country": "United States",
      "is_remote": false,
      "confidence": 0.85
    },
    "countries": [
      "United States"
    ]
  },
  "remote_policy": "hybrid",
  "salary_period": "year",
  "workplace_type": "hybrid",
  "salary_currency": "USD"
}

{}

{
  "title": "Application Security Engineer",
  "offices": [
    {
      "id": 4065240004,
      "name": "San Francisco",
      "location": null,
      "child_ids": [],
      "parent_id": null
    }
  ],
  "language": "en",
  "location": {
    "name": "San Francisco, California"
  },
  "metadata": [],
  "updated_at": "2026-05-21T14:51:22-04:00",
  "departments": [
    {
      "id": 4026872004,
      "name": "Information Security",
      "child_ids": [],
      "parent_id": 4026866004
    }
  ],
  "company_name": "Heartflow",
  "requisition_id": 5148676004,
  "first_published": "2026-05-04T18:22:45-04:00",
  "application_deadline": null
}