Principal Product Security and Compliance Engineer

Our world is transforming, and PTC is leading the way. Our software brings the physical and digital worlds together, enabling companies to improve operations, create better products, and empower people in all aspects of their business. \n\nOur people make all the difference in our success. Today, we are a global team of nearly 7,000 and our main objective is to create opportunities for our team members to explore, learn, and grow \u2013 all while seeing their ideas come to life and celebrating the differences that make us who we are and the work we do possible. \n\nJob Title: Principal Product Security Engineer\n\nRole Overview\n\nThe Principal Product Security Engineer is a senior technical leader responsible for safeguarding the security of products and services across the full Software Development Lifecycle (SDLC), with a strong emphasis on hands\u2011on application penetration testing. This role combines deep offensive security expertise with architectural judgment, secure design guidance, and cross\u2011organizational influence.\n\nAs a principal\u2011level engineer, you will lead complex application security assessments across web applications, APIs, SaaS platforms, and emerging technologies (including AI\u2011driven solutions), while also shaping product security strategy, standards, and engineering practices. You will work closely with R\u0026D, Product Management, Cloud, SaaS, and QA teams to ensure security is built in, not bolted on.\n\nThis role is highly technical, execution\u2011focused, and requires the ability to both find and exploit real\u2011world vulnerabilities and drive durable remediation outcomes across multiple product lines.\n\nKey Responsibilities\n\nApplication Penetration Testing \u0026 Offensive Security\n\n * Lead and execute in\u2011depth manual application penetration testing across web applications, APIs, and LLM/AI enabled applications.\n * Perform security testing aligned with OWASP Top 10, OWASP API Top 10, OWASP LLM/AI Top 10, CWE Top 25, and emerging attack classes.\n * Identify complex attack paths, chained vulnerabilities, and business\u2011logic flaws beyond automated tool findings.\n * Validate exploitability, determine real risk, and distinguish true positives from noise.\n * Conduct secure code reviews to identify implementation flaws and support remediation.\n * Re\u2011test fixes and mitigations to confirm effectiveness and risk reduction.\n\n\n\nSDLC, DevSecOps \u0026 Tooling\n\n * Support security integration across the SDLC, including CI/CD pipelines and DevSecOps workflows.\n * Support the use of SAST, DAST, SCA, secrets scanning, and container security tools.\n * Support automation efforts to reduce time\u2011to\u2011detect and time\u2011to\u2011remediate.\n * Partner with R\u0026D teams to mature secure coding standards and shift\u2011left practices.\n\n\n\nResearch \u0026 Continuous Improvement\n\n * Research evolving threats, attack techniques, and defensive strategies, including AI/LLM security risks.\n * Stay current on emerging security tooling, frameworks, and industry best practices.\n * Continuously improve testing methodologies, reporting quality, and remediation effectiveness.\n\n\n\nRequired Qualifications\n\n * Bachelor\u2019s degree in computer science, Software Engineering, Cybersecurity, or equivalent practical experience.\n\n\n * 7+ years of experience in Product Security, Application Security, or Software Security Engineering.\n * Extensive hands\u2011on experience conducting manual application penetration testing.\n * Strong understanding of secure software development lifecycle (SSDLC) principles.\n * Deep knowledge of OWASP Top 10, OWASP API Top 10, OWASP LLM/AI Top 10, CWE, CVSS, and vulnerability prioritization.\n * Proficiency in at least one programming language such as Python, Java, JavaScript/TypeScript, Go, or C/C++.\n * Experience with modern application architectures, APIs, and cloud\u2011based systems.\n * Ability to clearly communicate security findings and remediation guidance to both technical and non\u2011technical stakeholders.\n * Experience integrating security controls into CI/CD pipelines.\n\n\n\nPreferred / Nice\u2011to\u2011Have Qualifications\n\n * Relevant certifications such as OSCP, GWAPT, OSWE, GPEN, CISSP, CSSLP, or CCSP.\n\n\n\nLife at PTC is about more than working with today\u2019s most cutting-edge technologies to transform the physical world. It\u2019s about showing up as you are and working alongside some of today\u2019s most talented industry leaders to transform the world around you. \n\nIf you share our passion for problem-solving through innovation, you\u2019ll likely become just as passionate about the PTC experience as we are. Are you ready to explore your next career move with us?\n\nWe respect the privacy rights of individuals and are committed to handling Personal Information responsibly and in accordance with all applicable privacy and data protection laws. Review our Privacy Policy here.\"\n