About Us
Pocket FM is a leading audio entertainment platform that brings engaging, serialized fiction to millions of listeners across genres like romance, thriller, fantasy, and more. With over 130 million users globally and strong traction in markets like the US and Europe, we're revolutionizing storytelling through audio.
Our unique model combines free listening with micropayments for premium content, powering strong business growth. In FY25, we reached an ARR of INR 2,000 crore, with over 100,000 hours of content on the platform. We're also at the forefront of innovation, leveraging AI-generated content to scale efficiently.
Role Overview
As a Senior Security Engineer in Product Security, you will play a key hands-on role in championing security throughout the entire product development lifecycle. You will collaborate with engineering, product management, and other stakeholders to identify and mitigate security risks, ensuring our products are built with security and compliance in mind
Key Responsibilities:
- Security Testing & Assessments
- Conduct manual penetration testing across web, mobile (Android/iOS), and API surfaces, including authentication mechanisms, payment and subscription flows, and content delivery pipelines.
- Participate in security assessments and threat modeling for new and existing products.
- Perform security-focused code reviews in Python, JavaScript/Node.js, or Java, identifying vulnerabilities such as injection flaws, insecure deserialization, broken access controls, and sensitive data exposure.
- Leverage AI-assisted testing approaches including LLM-based code auditing, automated payload generation, and AI-augmented threat modeling to increase testing depth and coverage.
Shift-Left Security: SAST, Secrets & Dependencies
- Own and operate secrets detection across source code repositories using tools like Wiz, Trufflehog or Gitleaks covering hardcoded credentials, API keys, tokens, and cloud access keys and drive remediation with engineering teams.
- Manage and tune SAST tooling (Wiz, Semgrep, CodeQL) integrated into CI/CD pipelines; reduce false positive noise and work with developers to remediate flagged findings effectively.
- Run Software Composition Analysis (SCA) to identify vulnerable, outdated, or malicious open-source dependencies; own the pipeline using tools like Wiz, Snyk, OWASP Dependency-Check, or Dependabot.
- Define and enforce pre-merge security gates for secrets, SAST, and dependency checks across engineering teams.
Secure Development & Engineering
- Contribute to and execute the product security strategy, aligned with business objectives and industry best practices.
- Develop and maintain secure coding guidelines and security engineering standards for development teams.
- Automate repetitive security processes and build internal tools to boost team productivity and visibility.
Collaboration & Culture
- Actively participate in security awareness initiatives and support developer education on secure coding best practices.
- Collaborate with product managers to integrate security considerations into the product development lifecycle.
- Manage and prioritize product security vulnerabilities, working with engineering teams on effective remediation plans.
Monitoring & Reporting
- Stay current on the latest security threats, vulnerabilities, and attacker techniques; proactively surface and address risks.
- Develop and maintain security documentation including threat models, security requirements, and incident response runbooks.
- Contribute to product security metrics and help communicate security posture to relevant stakeholders.
- Support security incident response activities and provide guidance on mitigation strategies as needed.
What You Will Need
Must-Have
- 4+ years of hands-on experience in product security, application security, or a closely related field.
- Proven experience in manual web, mobile, and API penetration testing methodologies.
- Experience conducting security-focused code reviews and identifying common vulnerability classes (OWASP Top 10, CWE).
- Hands-on experience with SAST tooling (Semgrep, CodeQL, or similar) and integrating security checks into CI/CD pipelines.
- Experience with secrets detection tooling (Trufflehog, Gitleaks, or GitHub secret scanning) and driving secrets hygiene programs.
- Familiarity with SCA / dependency scanning tools (Snyk, OWASP Dependency-Check, Dependabot, or similar).
- In-depth understanding of secure coding practices and secure SDLC principles.
- Scripting experience in Python, Bash, or similar for automation and tooling.
- Strong analytical and problem-solving skills with the ability to manage multiple workstreams.
- Excellent communication and collaboration skills — ability to work effectively with engineering and product teams.
Strong Advantage
- Experience with AWS security services (IAM, GuardDuty, WAF, CloudTrail, Security Hub) and/or GCP security (Security Command Center, Cloud Armor, IAM, VPC Service Controls) we operate across both clouds.
- Mobile security experience, Android and/or iOS app security testing, including reverse engineering, insecure storage, certificate pinning bypass, and DRM/offline flow analysis.
- Familiarity with AI-assisted security testing and LLM-based code auditing workflows.
- Experience with or exposure to Bug Bounty / Vulnerability Disclosure Programs.
Certifications (Nice to Have)
- OSCP or equivalent hands-on offensive security certification.
