Senior Manager, Application Security

QXO is the fastest growing publicly traded distributor of building products in North America. The company is executing its strategy to become the tech-enabled leader in the $800 billion building products distribution industry and generate outsized value for its shareholders. QXO expects to achieve its target of $50 billion in annual revenues within the next decade through accretive acquisitions and organic growth. 

As a Senior Manager, Application Security at QXO, you’ll lead the security strategy for an AI-first engineering organization. You will embed security into CI/CD pipelines, cloud-native architectures, and agentic AI systems while operating as a hands-on technical leader. In the near term, this role is expected to directly participate in architecture reviews, pipeline integration, and AI system security design while building and scaling a high-performing Application Security function that enables innovation without increasing enterprise risk.

• Define and execute QXO’s DevSecOps and Secure AI engineering strategy aligned to enterprise growth and digital transformation objectives.
• Embed automated security controls into CI/CD pipelines, including SAST, DAST, SCA, container scanning, secrets detection, SBOM generation, and infrastructure-as-code validation.
• Design and operationalize secure architecture patterns for APIs, microservices, containers, serverless, and cloud-native applications.
• Partner with engineering and AI teams to secure agentic AI systems, including LLM integration layers, inference endpoints, vector stores, RAG pipelines, orchestration frameworks, and model-to-tool execution pathways.
• Define guardrails to mitigate risks such as prompt injection, jailbreaks, context leakage, hallucinated dependencies, insecure agent execution, and privilege escalation via autonomous systems.
• Ensure AI-generated code and model-integrated features meet secure coding standards and undergo automated validation prior to production deployment.
• Lead application and AI-system vulnerability management, driving measurable reduction in risk and improved remediation velocity.
• Strengthen software supply chain security, including SBOM governance and dependency risk management.
• Build and scale an Application Security / DevSecOps team while fostering a shared security ownership model across engineering.

Preferred Player-Coach Experience (Hands-On Early Phase):

• Direct experience integrating and operating modern AppSec tooling within CI/CD pipelines, including SAST, SCA, container scanning, IaC security, secrets detection, and SBOM generation.
• Strong hands-on capability with secure coding and code review in languages such as Python, Go, TypeScript, or Java, with the ability to guide engineers through remediation and secure design decisions.
• Practical experience securing cloud-native architectures across AWS, Azure, or GCP, including building reusable secure patterns and hardened templates.
• Hands-on work securing AI/LLM systems, including inference endpoints, vector databases, model integration layers, RAG pipelines, and orchestration frameworks (e.g., LangChain, LlamaIndex, or similar).
• Experience testing and mitigating AI system vulnerabilities such as prompt injection, jailbreaks, context leakage, insecure tool execution, hallucinated dependencies, and model misuse risks.
• Experience evaluating and governing AI-assisted developer tools (e.g., GitHub Copilot, Claude Code, Factory AI, Codeium) and validating AI-generated code for security and reliability prior to deployment.
• Familiarity with AI-specific threat modeling methodologies (e.g., STRIDE adaptations for AI systems, MITRE ATLAS) and integrating them into SDLC workflows.
• Proven ability to stand up new security capabilities from the ground up, including tool selection, pipeline automation, documentation, and developer enablement programs.
• Demonstrated credibility working closely with engineers, platform teams, architects, ML/data teams, and product owners to embed security into design and sprint planning.
• Comfort operating as an individual contributor while scaling a team, participating directly in code reviews, pipeline builds, and deep technical reviews.

• 8+ years of experience in application security, DevSecOps, cloud security, or secure software engineering.
• 3+ years of experience leading technical teams in high-velocity engineering environments.
• Deep expertise in CI/CD automation, pipeline security, and security-as-code implementation.
• Experience securing cloud-native architectures across AWS, Azure, or GCP environments.
• Strong understanding of secure coding standards, OWASP Top 10, threat modeling, and modern software supply chain risks.
• Experience evaluating, governing, or securing AI-assisted development tools and LLM-powered systems.
• Familiarity with risks unique to AI-enabled systems, including prompt injection, context leakage, model misuse, and autonomous execution control gaps.
• Ability to partner effectively with senior engineering leadership in a fast-scaling, innovation-driven organization.
• Relevant certifications such as CISSP, CSSLP, cloud security credentials, or AI governance certifications preferred.

• Base pay range: $140,400 - $210,600
• Annual performance bonus
• 401(k) with employer match
• Medical, dental, and vision insurance
• PTO, company holidays, and parental leave
• Paid Time Off/Paid Sick Leave: Applicants can expect to accrue 15 days of paid time off during their first year (4.62 hours for every 80 hours worked) and increased accruals after five years of service.
• Paid training and certifications
• Legal assistance and identity protection
• Pet insurance
• Employee assistance program (EAP)

QXO is an Equal Opportunity Employer. We value diversity and do not discriminate on the basis of race, color, religion, sex, national origin, age, disability, or any other protected status.