Security Engineer Resume Guide: AppSec, Cloud, Detection, Red Team, Compliance

Security Engineer Resume Guide: AppSec, Cloud Security, and Detection Engineering

Security engineering covers a wide spectrum — application security (AppSec) reviewers and tooling builders, cloud security engineers configuring identity and infrastructure, detection engineers building SIEM rules and threat-hunting tools, red-team operators, and compliance-flavored security engineers running SOC 2 / FedRAMP / similar audits. Recruiters look for very different signals depending on which sub-track. This guide covers the major archetypes, the bullets that work for each, and how to position your background when your work spans multiple areas.

The Sub-Tracks

Application security (AppSec)

Reviews code, builds security tooling, runs threat modeling sessions, manages vulnerability programs. Common at: most engineering-mature tech companies, fintechs, AI labs.

Cloud security

Configures and audits cloud-provider security: IAM, network controls, secrets management, compliance frameworks. Common at: companies running on AWS / GCP / Azure at scale, regulated industries.

Detection engineering / Security operations

Builds detections, runs SIEM, threat hunts, owns incident response. Closer to data engineering with security focus. Common at: large tech, financial firms, government.

Red team / offensive security

Penetration testing, red team operations, exploit development. Common at: security-focused consultancies, large tech security teams, government, some financial firms.

Compliance / governance

Runs audit programs (SOC 2, ISO 27001, HIPAA, FedRAMP, PCI), policy engineering, risk management. Common at: enterprise SaaS, regulated industries.

The resume should match the specific archetype you’re targeting. A red-team resume is read very differently from a compliance resume, even though both fall under “security engineer.”

What Recruiters Look For (by Sub-Track)

AppSec signals

Code review experience: number of PRs reviewed, vulnerability classes caught
Tooling built: SAST/DAST integrations, custom scanners, secret-detection
Threat modeling: methodologies (STRIDE, PASTA), specific work products
OWASP awareness and direct application
Programming depth: usually Python, Go, or whatever the company’s main stack is

Cloud security signals

IAM design and audit experience (AWS, GCP, Azure)
Network security: VPCs, security groups, service-mesh security
Secrets management: Vault, KMS, secret rotation
Cloud-provider certifications (AWS Security Specialty, GCP Professional Cloud Security)

Detection engineering signals

SIEM platform expertise (Splunk, Elastic Security, Chronicle, Sentinel)
Detection rule authorship and tuning
Threat hunt outcomes
EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender)
Knowledge of MITRE ATT&CK and detection-engineering frameworks

Red team signals

OSCP / OSEP / CRTO / similar offensive certifications
Specific engagements: scope, outcomes, methodologies
CVE acknowledgments, publicly disclosed vulnerabilities
Tooling built (custom payloads, evasion techniques, internal red-team frameworks)
HackerOne / Bugcrowd reputation if applicable

Compliance signals

Specific frameworks owned (SOC 2 Type II, ISO 27001, HIPAA, FedRAMP Moderate/High, PCI DSS)
Audit cycles led
Policy authorship
Risk-assessment program experience

Strong Bullets by Sub-Track

AppSec

“Built and ran the company’s secure-by-default code-review program; reviewed 200+ PRs/quarter, caught 14 high-severity vulnerabilities pre-production over 18 months, established 6 organization-wide secure coding standards now enforced via SAST.”

“Owned the threat-modeling program for the platform organization; led 22 sessions across 8 product teams; identified 3 architecture-level risks that drove redesign of the payment-flow authentication system.”

Cloud security

“Designed and rolled out the company’s cross-account IAM model (147 AWS accounts); reduced direct cross-account access by 89% via per-service identity tokens and just-in-time elevation.”

“Implemented automated remediation for cloud-security findings via Lambda + custom rule engine; reduced average finding-to-remediation time from 14 days to 2 days.”

Detection engineering

“Authored 280+ Sigma-format detections deployed to Elastic Security covering MITRE ATT&CK techniques relevant to the company’s threat model; reduced false-positive rate from 24% to 4% via systematic tuning over 9 months.”

“Led threat hunt that identified previously-undetected lateral-movement campaign across 3 development environments; resulting forensics led to 4 detection rule additions and 2 architectural mitigations.”

Red team

“Led 12+ internal red-team engagements over 18 months; identified 4 path-to-admin issues, 9 segmentation breaches, and 3 critical-severity authentication bypasses.”

“Discovered and disclosed CVE-2024-XXXXX (critical RCE in [open-source product]) via responsible disclosure; affected approximately [N] organizations; coordinated with vendor on patch release.”

Compliance

“Owned the company’s first SOC 2 Type II audit (program design through audit completion, 14 months); achieved unqualified opinion with zero exceptions; report subsequently used in 80+ enterprise sales cycles.”

“Led FedRAMP Moderate authorization for the company’s primary product (24-month effort); coordinated across security, engineering, legal, and external 3PAO; achieved authorization on first submission.”

Tech Stack Patterns

SKILLS (APPSEC)
Application: SAST/DAST, threat modeling (STRIDE, PASTA), OWASP top 10, secure code review
Cloud: AWS IAM, secrets management, security groups
Languages: Python, Go, basic C/C++
Tooling: Semgrep, CodeQL, Bandit, Trivy, custom static analysis

SKILLS (CLOUD SECURITY)
Cloud: AWS (IAM, GuardDuty, KMS, Security Hub), GCP (IAM, Security Command Center), Azure (basic)
IaC: Terraform, Pulumi, CloudFormation
Languages: Python, Go, Bash
Frameworks: NIST CSF, CIS Benchmarks, AWS Well-Architected Security Pillar

SKILLS (DETECTION ENGINEERING)
SIEM: Splunk, Elastic Security, Chronicle, Microsoft Sentinel
EDR: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint
Frameworks: MITRE ATT&CK, Sigma rule format, threat-informed defense
Languages: Python, KQL, SPL
Tooling: Suricata, Zeek, custom detection-engineering pipelines

SKILLS (RED TEAM)
Offensive: penetration testing, lateral-movement techniques, persistence, AV/EDR evasion
Tooling: Cobalt Strike, Metasploit, custom payloads, Mythic, Sliver
Languages: Python, C/C++, PowerShell, Go
Certifications: OSCP, OSEP, CRTO

SKILLS (COMPLIANCE)
Frameworks: SOC 2 Type II, ISO 27001, HIPAA, FedRAMP, PCI DSS, NIST 800-53
Tooling: Drata, Vanta, AuditBoard
Skills: program management, policy authorship, risk assessment, audit coordination

Sample AppSec Engineer Resume (Mid-Senior)

[Name]
[City, State] | email | LinkedIn | GitHub

EXPERIENCE
GitLab — Senior Application Security Engineer                       2022 – Present
- Built and ran the company's secure-code-review program; reviewed 200+ PRs/quarter; caught 14 high-severity vulnerabilities pre-production over 18 months
- Established 6 organization-wide secure coding standards now enforced via Semgrep custom rules across the entire monorepo
- Led threat-modeling program for the platform organization; 22 sessions across 8 product teams
- Discovered CVE-2024-XXXXX (auth bypass in third-party SDK); coordinated responsible disclosure

Datadog — Application Security Engineer                             2019 – 2022
- Owned vulnerability management for the engineering organization; reduced average mean-time-to-remediation for critical findings from 21 days to 4 days
- Built custom secret-scanning pipeline (Python + GitHub Actions) catching 38 leaked secrets pre-production over 12 months
- Co-authored the company's secure-software-development-lifecycle policy; adopted across 14 product teams

Stripe — Security Engineer                                          2017 – 2019
- Reviewed 800+ PRs as part of the security review program over 18 months
- Authored internal training materials on secure coding; delivered to 280+ engineers

EDUCATION
University of Washington — B.S. Computer Science                       2017

CERTIFICATIONS
- AWS Certified Security – Specialty (2023)
- OSCP (2020)

SKILLS
Application: SAST/DAST, threat modeling (STRIDE, PASTA), OWASP top 10, secure code review
Cloud: AWS (IAM, KMS, GuardDuty), GCP (basic)
Languages: Python, Go, basic C/C++
Tooling: Semgrep, CodeQL, Trivy, custom static analysis
Frameworks: NIST CSF, SOC 2 (familiar), ISO 27001 (familiar)

Common Pitfalls

Generic “security engineer” framing

Recruiters can’t tell what you do from “Security Engineer” + generic bullets. Lead with the sub-track. AppSec, cloud, detection, red team, compliance — pick one and frame to it.

Listing every certification

Security has more certifications than any other engineering field. List the substantive ones (OSCP, OSCE, CISSP, AWS Security Specialty, GCP Professional Cloud Security) and skip lower-tier ones (CompTIA Security+ at senior level, vendor-specific intro certs).

Missing CVE / disclosure history for offensive tracks

Red-team and offensive-security candidates with public CVE acknowledgments or HackerOne reputation should highlight them. Resumes without these signals look weaker for offensive roles.

Compliance bullets without specifics

“Worked on SOC 2 compliance” is vague. “Owned SOC 2 Type II audit including readiness assessment, policy authorship, and audit coordination” is signal.

Missing programming depth for AppSec

AppSec engineers need to read and write code. Bullets and Skills should make programming depth visible. Listing only “code review” without underlying programming context reads as weak.

Frequently Asked Questions

What’s the best certification for security engineers?

Depends on track. OSCP is the gold standard for offensive / red team. CISSP is broadly recognized for senior security roles, especially in regulated industries. AWS Security Specialty / GCP Professional Cloud Security for cloud security. CISA / CRISC for compliance and audit work. For early-career security engineers, OSCP and CISSP are the two highest-leverage certs.

How important is open-source / public disclosure work?

For offensive security and AppSec, valuable. Public CVE acknowledgments, conference talks, and open-source security tooling distinguish strong candidates. For cloud security and compliance, less central — those tracks have less public-facing work culturally. Consider track when allocating time to public-facing work.

How does pay differ across security sub-tracks?

Roughly: red team and offensive security have a “rare expertise” premium at top-paying firms; cloud security commands strong pay at large tech and fintech; AppSec is solid but typical engineering-comp range; detection engineering is competitive but lower than the others on average; compliance pay is structured similarly to senior compliance / audit roles in non-tech (lower at top end than IC-engineer roles). Specifics vary heavily by company and seniority.

How do I switch from generic SWE to security engineer?

Build a portfolio of security work: contribute to open-source security tooling, do CTFs (HackTheBox, TryHackMe at minimum), get OSCP if targeting offensive, write security-focused side projects. The generic-SWE-to-security transition is feasible but requires demonstrable security focus on your resume. See our SWE-to-quant-dev guide for a parallel example of how to frame transitions; the pattern is similar.

Can I list HackerOne / Bugcrowd reputation?

Yes if substantial. “Top 100 HackerOne researcher (2024)” or “$50k+ in bug bounties earned across 4 platforms” is signal. Anonymous low-tier participation isn’t worth listing. Public profiles linked from your resume let recruiters verify and add credibility.