This role has been designed as ‘Hybrid’ with an expectation that you will work on average 2 days per week from an HPE office.
Who We Are:
Hewlett Packard Enterprise is the global edge-to-cloud company advancing the way people live and work. We help companies connect, protect, analyze, and act on their data and applications wherever they live, from edge to cloud, so they can turn insights into outcomes at the speed required to thrive in today’s complex world. Our culture thrives on finding new and better ways to accelerate what’s next. We know varied backgrounds are valued and succeed here. We have the flexibility to manage our work and personal needs. We make bold moves, together, and are a force for good. If you are looking to stretch and grow your career our culture will embrace you. Open up opportunities with HPE.
Job Description:
Within HPE, our Operations, Legal and Admin teams work across the business, providing visible accountability and measurable outcomes. With a variety of roles and responsibilities these teams really connect the dots, giving us the essential insights, support and capability to accelerate our transformation to be the world’s edge to cloud company. Join us redefine what’s next for you.
Summary
The Principal AI Security Engineer is a strategic role responsible for safeguarding the organization’s transition to an autonomous, AI‑driven future. This position combines established application security practices with specialized defensive strategies for generative AI and agent‑based systems. By defining and implementing a comprehensive AI security framework aligned with OWASP Top 10 for LLMs and MITRE ATLAS, the role ensures that innovation in AI is delivered with strong security and safety guarantees.
This role focuses on agentic security and MCP server integrity, securing environments where autonomous agents access and process sensitive data. Through continuous adversarial testing and proactive threat modeling, the Principal AI Security Engineer identifies and mitigates emerging risks such as prompt injection, data poisoning, and model abuse before they can be exploited. Ultimately, this role establishes a security‑as‑code foundation that enables the organization to deploy AI systems with resilience, trustworthiness, and scale.
What you'll do:
Develop an AI risk assessment framework and codify technical guidelines to mitigate LLM bias, hallucinations, and toxic outputs.
Design and secure autonomous AI agents, including RAG architectures, with deep‑dive threat modeling and adversarial testing.
Establish secure authentication, authorization, and audit protocols for AI communication frameworks (e.g., MCP).
Assess and guide the secure adoption of AI capabilities across enterprise applications, focusing on data security, access controls, and model input/output handling.
Automate security gates to verify model provenance, pipeline integrity, and misconfigurations across the ML and software supply chain.
Integrate security practices throughout the SDLC in close partnership with engineering and DevOps teams.
Promote secure coding standards, tooling, automation, and mentor teams through secure development and pipeline practices.
Design, implement, and maintain security controls within CI/CD platforms (GitHub Actions, Jenkins, GitLab, Azure DevOps).
Ensure software integrity through code signing, artifact validation, provenance, SBOM generation, and dependency scanning.
Automate SAST, DAST, SCA, container, and AI‑specific vulnerability scanning in build and release pipelines to detect insecure LLM orchestration patterns.
Identify and remediate misconfigurations, secrets exposure, and access control gaps in CI/CD and pipeline environments.
Design, deploy, and tune WAF rules and API security protections; conduct API risk assessments and promote secure API design patterns.
Perform secure code reviews and expand automated security testing coverage across pipelines and deployed services.
Triage, prioritize, and track vulnerabilities across source code, pipelines, and production services.
Facilitate threat modeling for applications, APIs, delivery pipelines, and AI‑driven features.
Expand security automation for API discovery, secrets detection, and dependency risk management.
Act as a trusted advisor to product, platform, and DevOps teams by translating technical risk into business impact.
Support the Security Champions program.
Partner with SOC and Incident Response teams during software supply chain, pipeline, or AI‑related security incidents.
Leverage AI‑powered security tools to detect anomalies, code risks, and CI/CD misconfigurations.
What you need to bring
Required
10–15+ years of experience in Application Security, Product Security, or Secure Software Development.
Hands‑on experience securing LLMs, AI agents, and MCP servers, with familiarity with OWASP Top 10 for LLM Applications and MITRE ATLAS.
Strong hands‑on experience with CI/CD pipelines and source repositories (GitHub, GitLab, Jenkins, etc.).
Knowledge of software supply chain security frameworks (e.g., SLSA, NIST SSDF), including build integrity, artifact signing (Sigstore, Cosign), and secrets management.
Strong background in WAF tuning, API security, and vulnerability identification and remediation.
Proficiency in at least one programming language (Python, Java, Go, or JavaScript/Node.js).
Experience with automated security testing tools, including SAST, DAST, SCA, and container scanning.
Cloud security experience in AWS, Azure, or GCP environments.
Strong understanding of OWASP Top 10 (Web & API), CWE, and secure coding practices.
Preferred
Experience integrating SBOM generation and software composition analysis (SCA) into CI/CD workflows.
Knowledge of runtime protection and detection tools, including API security platforms, RASP, and container EDR solutions.
Experience with GitOps practices, infrastructure‑as‑code (Terraform, CloudFormation), and policy‑as‑code, including security scanning.
Background in handling software supply chain attacks, including dependency poisoning and compromise incidents.
Relevant security certifications such as OSWE, CSSLP, GPCS, GWEB, or GCSA.
Soft Skills
Excellent communication and the ability to influence developers, DevOps engineers, and leadership.
Strong problem-solving skills with an automation-first mindset.
Collaborative and outcome-oriented, able to balance security with delivery velocity.
#legal&admin
Additional Skills:
What We Can Offer You:
Health & Wellbeing
We strive to provide our team members and their loved ones with a comprehensive suite of benefits that supports their physical, financial and emotional wellbeing.
Personal & Professional Development
We also invest in your career because the better you are, the better we all are. We have specific programs catered to helping you reach any career goals you have — whether you want to become a knowledge expert in your field or apply your skills to another division.
Unconditional Inclusion
We are unconditionally inclusive in the way we work and celebrate individual uniqueness. We know varied backgrounds are valued and succeed here. We have the flexibility to manage our work and personal needs. We make bold moves, together, and are a force for good.
Let's Stay Connected:
Follow @HPECareers on Instagram to see the latest on people, culture and tech at HPE.
Job:
Information TechnologyJob Level:
TCP_06
HPE is an Equal Employment Opportunity/ Veterans/Disabled/LGBT employer. We do not discriminate on the basis of race, gender, or any other protected category, and all decisions we make are made on the basis of qualifications, merit, and business need. Our goal is to be one global team that is representative of our customers, in an inclusive environment where we can continue to innovate and grow together. Please click here: Equal Employment Opportunity.
Hewlett Packard Enterprise is EEO Protected Veteran/ Individual with Disabilities.
HPE will comply with all applicable laws related to employer use of arrest and conviction records, including laws requiring employers to consider for employment qualified applicants with criminal histories.
No Fees Notice & Recruitment Fraud Disclaimer
It has come to HPE’s attention that there has been an increase in recruitment fraud whereby scammer impersonate HPE or HPE-authorized recruiting agencies and offer fake employment opportunities to candidates. These scammers often seek to obtain personal information or money from candidates.
Please note that Hewlett Packard Enterprise (HPE), its direct and indirect subsidiaries and affiliated companies, and its authorized recruitment agencies/vendors will never charge any candidate a registration fee, hiring fee, or any other fee in connection with its recruitment and hiring process. The credentials of any hiring agency that claims to be working with HPE for recruitment of talent should be verified by candidates and candidates shall be solely responsible to conduct such verification. Any candidate/individual who relies on the erroneous representations made by fraudulent employment agencies does so at their own risk, and HPE disclaims liability for any damages or claims that may result from any such communication.