Principal Security Researcher for Spellbook, focused on securing legal AI workflows and sensitive data. Engaging in red teaming, security research, and cross-department collaboration for risk reduction.
Responsibilities
Identify security risks across the company and partner with the relevant teams to reduce them.
Lead active red teaming, application security testing, penetration testing, exploit validation, and adversarial analysis.
Conduct original security research on legal AI, LLM-enabled products, sensitive document workflows, prompt injection, data leakage, model misuse, and tool abuse.
Coordinate third-party penetration tests, red team exercises, audits, and other external security assessments.
Own external vulnerability reports — bug bounty submissions, responsible disclosure reports, researcher communications, triage, validation, prioritization, and remediation tracking.
Drive threat modelling and secure design reviews for new products, features, AI workflows, integrations, and infrastructure changes.
Partner with R&D and Engineering to surface trust boundaries, abuse cases, and data exposure risks early in development.
Support Security Operations during incident response by reproducing vulnerabilities, validating exploits, assessing impact, and recommending remediation.
Engage with frontier AI labs, external researchers, vendors, and the broader security community to stay current on AI safety and security developments.
Publish security research, advisories, technical writeups, blog posts, or conference talks where aligned with company priorities.
Define and improve repeatable processes for security research, testing, vulnerability management, and remediation across Spellbook.
Support with other responsibilities and projects as required.
Requirements
Strong experience in application security, red teaming, penetration testing, vulnerability research, product security, or offensive security.
Hands-on experience testing modern web applications, APIs, authentication flows, authorization models, cloud services, and distributed systems.
Experience developing proof-of-concept exploits or clear technical demonstrations to validate security impact.
Firm grasp of common software security risks, secure design principles, identity and access controls, data protection, and secure development practices.
Experience partnering with engineering, product, or R&D teams to triage, prioritize, and remediate vulnerabilities end-to-end.
Excellent written and verbal communication skills, with the ability to write clear technical reports, executive summaries, remediation guidance, and public-facing research, and to explain trade-offs to engineers, PMs, and leadership.
Strong judgment around responsible disclosure, customer impact, confidentiality, and coordinated communication.
Pragmatic at distinguishing theoretical risk from practical risk, with the instinct to help teams focus on what matters most.
Comfortable operating with ambiguity and moving with urgency across hands-on testing, product security, incident support, and external coordination.
Track record of driving measurable risk reduction in a fast-moving technical environment.
Benefits
Access our company-paid group benefits for you and your family, with $1,000 towards mental health support
Disconnect during our holiday closure and take advantage of our generous time off policies throughout the year
Enjoy monthly paid meals, an annual wellness allowance to support your well-being and parental leave top-ups as your family grows
Secure your stake in our success; you’ll receive competitive stock option grants as a pivotal early employee
Container Security Consultant needed for 12 - month contract with enterprise bank in Toronto. Must have strong container security experience with OpenShift, Docker, Kubernetes.
Technical Program Manager managing security programs aligned with security strategy at Guidewire. Collaborating with various stakeholders to enhance security maturity and efficiency.
Senior IT Architect specialized in Security & Networking infrastructure technologies leading architecture development for technology projects. Collaborating with multiple teams to ensure alignment with strategic objectives.
Director of IT Security leading the cybersecurity strategy for a remote workforce at Directive Consulting. Responsible for risk management, incident response, and compliance initiatives.
Senior Consultant in Cybersecurity for Wavestone managing client - facing engagements and providing strategic advisory services. Leading teams and business development in cybersecurity engagements with top organizations.
Senior Information Security Advisor needed for a 6 - month contract in Scarborough, ON. Provide security advisory, risk assessments, and cloud controls in banking.
Supervisor reporting to the Manager of Parking and Security at Scarborough Health Network hospitals. Responsible for supervising on - duty Security Guards and ensuring customer - focused services.
Security and Compliance Associate at Habitat Learn, an EdTech company focused on accessibility. Supporting compliance and security operations for multiple frameworks in a remote role based in Ontario.
Senior Manager overseeing the Identity & Access Management team for RBC in Global Security. Leading projects, managing operations, and ensuring client - centric service delivery.