Product Security Engineer

Who are we?

Founded in 2014 by Khadim Batti and Vara Kumar, Whatfix is a leading global B2B SaaS provider and the largest pure-play enterprise digital adoption platform (DAP). Whatfix empowers companies to maximize the ROI of their digital investments across the application lifecycle, from ideation to training to the deployment of software. Driving user productivity, ensuring process compliance, and improving user experience of internal and customer-facing applications.

Spearheading the category with serial innovation and unmatched customer-centricity, Whatfix is the only DAP innovating beyond the category, positioning itself as a comprehensive suite for GenAI-powered digital adoption, analytics, and application simulation. Whatfix product suite consists of 3 products - DAP, Product Analytics, and Mirror. This product suite helps businesses accelerate ROI on digital investments by streamlining application deployment across its lifecycle.

Whatfix has seven offices across the US, India, UK, Germany, Singapore, and Australia and a presence across 40+ countries.

Customers: 700+ enterprise customers, including over 80 Fortune 500 companies such as Shell, Microsoft, Schneider Electric, and UPS Supply Chain Solutions.

Investors: Raised a total of ~$270 million. Most recently Series E round of $125 Million led by Warburg Pincus with participation from existing investor SoftBank Vision Fund 2. Other investors include Cisco Investments, Eight Roads Ventures (A division of Fidelity Investments), Dragoneer Investments, Peak XV Partners, and Stellaris Venture Partners.

• With over 45% YoY sustainable annual recurring revenue (ARR) growth, Whatfix is among the “Top 50 Indian Software Companies” as per G2 Best Software Awards.
• Recognized as a “Leader” in the digital adoption platforms (DAP) category for the past 4+ years by leading analyst firms like Gartner, Forrester, IDC, and Everest Group.
• The only vendor recognized as a Customers’ Choice in the 2024 Gartner® Voice of the Customer for Digital Adoption Platforms has once again earned the Customers’ Choice distinction in 2025. We also boast a star rating of 4.6 on G2 Crowd, 4.5 on Gartner Peer Insights, and a high CSAT of 99.8%
• Highest-Ranking DAP on 2023 Deloitte Technology Fast 500™ North America for Fourth Consecutive Year
• Won the Silver for Stevies Employer of the Year 2023 – Computer Software category and also recognized as Great Place to Work 2022-2023
• Only DAP to be among the top 35% companies worldwide in sustainability excellence with EcoVadis Bronze Medal

On the G2 peer review platform, Whatfix has received 77 Leader badges across all market segments, including Small, Medium, and Enterprise, in 2024, among numerous other industry recognitions.

Position Summary:

The Product Security Engineer at Whatfix is responsible for securing applications, cloud services, and infrastructure by embedding security across the Secure Software Development Lifecycle (SSDLC). This role focuses on conducting security assessments, identifying vulnerabilities, and driving remediation in collaboration with engineering teams.

The engineer will perform VAPT, threat modeling, and security architecture reviews while integrating security automation and best practices into development workflows. The role also involves working with product, engineering, GRC teams to ensure compliance with industry standards.

Job Description

• Implement and enforce Secure Software Development Lifecycle (SSDLC) practices across all technology projects to proactively identify and mitigate security risks.
• Conduct VAPT for applications, APIs, and desktop applications, aligned with OWASP Top 10 (Web & API Security).
• Perform AI/LLM security testing based on OWASP Top 10 for LLMs.
• Lead threat modeling (STRIDE) and security architecture reviews, ensuring adherence to CIA and AAA principles.
• Perform secure code reviews and manual/automated security testing to identify vulnerabilities and drive timely remediation in collaboration with engineering teams.
• Develop and maintain CI/CD security pipelines (e.g., Jenkins-based jobs) to integrate security into development workflows.
• Support internal and external audits (ISO 27001, ISO 42001, SOC 2, FedRAMP).
• Collaborate closely with product and engineering teams to drive the product security program objectives.
• Communicate security risks effectively to diverse stakeholders and recommend mitigation strategies.
• Participate in customer and vendor meetings to address security-related clarifications and issues as required.
• Familiarity with Azure infrastructure, including compute, networking, storage, and basic security services

Required Skills:

• Strong knowledge of OWASP Top 10 (Web, API, and LLM Applications) and CWE Top 25.
• Experience in application, API, and microservices security.
• Hands-on experience with SAST, DAST, SCA, and secret scanning tools.
• Familiarity with REST APIs and authentication frameworks (OAuth 2.0, OpenID Connect)
• Experience with DevSecOps practices, CI/CD pipelines (e.g., Jenkins), and Git-based workflows.
• Proficiency in programming languages such as Java or .NET, and scripting (e.g., Python)
• Ability to effectively communicate security risks and drive remediation.
• Strong ability to triage, prioritize, and validate findings from SAST, DAST, SCA, and secret scanning tools.

Good to have:

• Knowledge of containerization and orchestration (Docker, Kubernetes)
• Expertise in threat modeling and secure architecture reviews.
• Strong understanding of Agile and secure development practices.
• Familiarity with security tools such as Checkmarx, Burp Suite, Nuclei and AI penetration testing tools.

Qualifications:

• Qualification Required: Bachelor/Master Degree in either Computer Engineering or Information science
• Preferred certifications: OSCP, CEH, ECSA, or other industry-recognized security certifications.
• Minimum experience: 3 to 7 years of experience in Product Security