Senior Product Security Engineer

Open to both Bangalore and Gurugram

About Us

Exotel is a leading provider of AI-powered customer engagement and communication solutions for enterprises. We enable businesses to transform how they connect with customers across omnichannel experiences—voice, messaging, agents, and AI-driven bots.

With over 20 billion conversations annually and the trust of 7,000+ customers globally, Exotel serves enterprises across BFSI, Logistics, Consumer Durables, E-commerce, Healthcare, and Education.

As customer expectations rise across the Middle East, enterprises face increasing pressure to drive revenue growth, optimize operational costs, and deliver superior customer experience (CX)—all while navigating regulatory and scale challenges.

Exotel partners with organizations as a strategic AI transformation enabler, helping them achieve all three outcomes through secure, scalable, and enterprise-grade communication platforms.

About the Role

As our Application Security IV/Lead Engineer, you will be responsible for the security of our apps/services - Web, Mobile, and API-based at Scale. You will be responsible for threat modeling products from the ground up. Implementing and managing security controls at various points of the Secure Software Development Lifecycle, setting up processes and guidelines. The goal is to build Seamless Security. We want you to redefine how developers view security, eliminating friction and improving Security natively. You will work closely with other Security functions, DevOps, Architects and Developers, and QA to build highly reliable and secure products.

What will you do

• Identify novel ways to scale Threat modeling across multiple applications.
• Prepare Secure by Design reference architectures for Developer adoption- Secure Architecture frameworks.
• Lead and own the SSDLC and envision a frictionless experience for Developers in the lifecycle. Own the SAST, DAST, and other Security tools in the lifecycle.
• Work on findings evaluation, prioritization, and fix/mitigate at scale.
• Build the SCA(Software Composition Analysis) map for all the third-party dependency usage at Scale and prioritize vulnerabilities based on EPSS, and CISA KEV.
• Perform Secure Code reviews. A minimum experience of 2+ years is desirable.
• Own the Vulnerability Management with a focus on vulnerability prioritization using EPSS, and CISA KEV.
• Implement Data Security standards and work with Engineering to work on Sensitive Data leakage.
• Implement a robust way to Identify all third-party applications (COTS-Commercial-Off-the-Shelf) used across the ecosystem. Work on providing proactive Security Best practice evaluation and enforcement for all such applications.
• Lead and own the Security Champions program and build/curate developer/qa centric training modules.
• Work with Cloud Security team to improve Web App Firewalls (WAF), prior experience with WAF rule fine-tuning is a plus. Ensure early Identification of intrusion and attacks and implement countermeasures.
• Partner with the SOC team for security Incident Management and Remediation triage with Engineering across the ecosystem.

What are we looking for

• Overall 7+ years of relevant experience.
• Bachelor's degree in Computer Science or a related technical discipline, or equivalent practical experience.
• Understanding of security frameworks and standards like OWASP and NIST, Solid understanding of security protocols, cryptography, authentication, and authorization.
• A prior experience of 4+ years of threat modeling products and prior work on building Secure Architecture is desirable.
• Expertise in 2 or more of the following areas with prior experience in solving at scale: API Security, Web Application Security, Mobile Application Security.
• Prior experience in solving any of OWASP's Top 10 at scale is highly desirable.
• Good understanding of Linux and Windows OS, TCP/IP protocol stack and networking fundamentals, and security principles at all layers of the OSI stack
• Experience with API security, network security, cryptography, PKI, and certificate management.
• Experience in CI/CD Tools Including Git, Jenkins, Ansible, or similar.
• Knowledge and experience in web application security testing, vulnerability assessment, penetration testing, and generating reports using tools like Burp Suite, Paros, AppScan, Wireshark, Nmap, and Nessus.
• Advanced expertise in at least one language, Shell scripting/Python/Go/NodeJS.