Security Engineer II - Threat Modeling & AI

About the Role

Uber wants to adopt AI in many forms. We want this adoption to be secure. We are hiring a security engineer to red team this surface area, lay out the risks clearly to the people who need to act on them, and drive the resulting changes through to fix.

The role is hands-on. You'll find the issues yourself across the agents and tools. You'll write up findings with status, owner, and residual risk so leadership and TPMs can act on them. The role goes beyond finding issues. You'll partner with engineering teams to land the fixes, and you'll communicate the residual risk to non-engineering audiences in their language. You will need to understand the architecture deeply enough to shape what gets built and push back on designs when needed.

What the Candidate Will Need / Bonus Points

---- What the Candidate Will Do ----

1. Apply OWASP Top 10 for LLM Applications and OWASP Top 10 for Agentic Applications during design reviews.
2. Translate the standards into Uber-specific control requirements, approval conditions, and reference architectures.
3. Use AI to scale your own testing where it makes sense (test harnesses, regression coverage, evaluation automation).
4. Spot patterns of issues and lead the development of controls by discussing with different stakeholders
5. Drive findings through to fix. Partner with the relevant engineering teams to land mitigations. Engage vendors when product-side changes are needed.
6. Communicate risk to non-engineering audiences. TPMs, program owners, and leadership need to understand what the risk is, what Uber covers, and what's left. You write and present in their language.
7. Define the minimum bar for AI guardrail architecture in developer tooling and agentic workflows. Partner with platform and security teams so the bar is enforceable through controls.
8. Standardize vendor and model onboarding. Build reusable artifacts: security requirements, telemetry requirements, default trust tiers, guidance for OSS model hosting.
9. Publish and maintain developer-facing guidance for AI tooling and agents.

---- Basic Qualifications ----

- 2+ years in security engineering (threat modeling or security architecture).

- Strong programming skills (Python, Go, or similar) with the ability to demonstrate them in a coding interview.

- Hands-on offensive security work with reproducible PoCs and clear mitigations.

- Working knowledge of OWASP Top 10 for LLM Applications and OWASP Top 10 for Agentic Applications (2026).

- Good understanding of distributed architectures (microservices, APIs, data warehouses, cloud buckets)

-Experience reading system designs and identifying what's missing or wrong, even when you won't be the one building it.

- Experience driving findings through to fix across engineering teams you don't own.

- Strong written and verbal English.

- Familiarity with MCP-style tool calling and agent integrations.

- Experience with GenAI, LLM, or agentic security testing.

---- Preferred Qualifications ----

- Hands-on testing experience with AI-powered desktop or IDE assistants, with concrete attack paths demonstrated.

- Experience securing no-code agent platforms or third-party agent integrations.

- Experience securing developer tooling, plugin ecosystems, or sandboxed execution environments.

- Experience building policy-as-code, evaluation automation, or security gates for tool onboarding.

- Experience engaging vendors to drive product changes.

- Experience writing standards or reference architectures used across teams.

- Experience synthesizing findings into leadership-ready recommendations (whitepapers, security assessments that drove vendor changes, public talks).

- Security certifications (OSCP, CISSP, etc.) are a plus, but demonstrated AI security depth matters more.

Uber's mission is to reimagine the way the world moves for the better. Here, bold ideas create real-world impact, challenges drive growth, and speed fuelds progress. What moves us, moves the world - let’s move it forward, together.

Offices continue to be central to collaboration and Uber's cultural identity. Unless formally approved to work fully remotely, Uber expects employees to spend at least half of their work time in their assigned office. For certain roles, such as those based at green-light hubs, employees are expected to be in-office for 100% of their time. Please speak with your recruiter to better understand in-office expectations for this role.

*Accommodations may be available based on religious and/or medical conditions, or as required by applicable law. To request an accommodation, please reach out to accommodations@uber.com.