Security Engineer ATS Keywords That Pass Tech Screens (2026)

Security Engineer ATS Keywords That Pass Tech Screens (2026)

Security Engineering hiring is a different keyword target than backend software engineering, SRE, or generic IT security, and most resume advice flattens the four. Recruiters at companies that hire security engineers at scale — Google, Meta, Stripe, Cloudflare, Datadog, Anthropic, Snowflake, GitHub — configure ATS searches around eight signal classes that don't show up on a generic backend or "cybersecurity" resume: application security (OWASP, SAST/DAST/SCA, threat modeling), offensive security (red team, OSCP, MITRE ATT&CK techniques), defensive security (SOC, SIEM, detection engineering, incident response), identity and access (OAuth 2.1, OIDC, SAML, FIDO2, Zero Trust), cloud security (AWS / GCP / Azure with named services, CSPM, CWPP, IaC scanning), compliance and frameworks (SOC 2, ISO 27001, FedRAMP, NIST CSF 2.0, PCI DSS), programming (Python, Go, Rust at senior+ depth), and AI security (NIST AI RMF, OWASP LLM Top 10, MITRE ATLAS — the 2026 emerging surface). A resume that reads like a SOC analyst with some AppSec exposure, or like a backend engineer with a CISSP, gets filtered out for senior security engineering roles because the keyword density across those eight classes is too low [1][2][5]. This page lists the security keywords that pass screens in 2026, grouped by signal class, with worked rewrites and a counter-list of keywords that backfire when a security engineer leans on them.

Key Takeaways

• Security engineer resumes get scanned for eight signal classes — AppSec, offensive, defensive, IAM, cloud security, compliance, programming, and AI security — and missing density across three or more of them is the most common reason senior candidates get filtered out [1][4][5].
• BLS has a dedicated occupation code for this work: SOC 15-1212 Information Security Analysts, with a May 2024 median annual wage of $124,910, projected 29 percent employment growth from 2024 to 2034 (much faster than average), and roughly 16,000 openings projected per year over the decade [6]. Anchor honest expectations there for general roles, and use levels.fyi for company-specific senior+ comp at top-tier tech companies [7].
• Named techniques beat generic phrases: "MITRE ATT&CK T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), T1556 (Modify Authentication Process)" outperforms "knowledge of attacker techniques" because Greenhouse, Lever, and Ashby all weight the technique IDs and named CWE/CVE references higher than abstract phrasing [1][4][8].
• OWASP fluency is Tier-1: name OWASP Top 10 2021 categories (A01 Broken Access Control through A10 SSRF), ASVS verification levels, SAMM maturity domains, and the OWASP LLM Top 10 (2025) for AI-era roles. These are recruiter-scannable and recruiter-respected [9][10][11].
• Identity is the new perimeter: NIST SP 800-207 Zero Trust Architecture, OAuth 2.1, OIDC, SAML 2.0, FIDO2 / WebAuthn / passkeys are Tier-1 keywords for senior security engineering roles, especially at SaaS and infrastructure companies [12][13].
• "Self-taught only" without a portfolio, "passion for hacking," or "Kali Linux user" without offensive context read junior; senior screens filter against them [5][15].
• Programming depth distinguishes senior security engineers from senior SOC analysts: Python plus a strong Go or Rust mention with a real project — a custom Semgrep rule pack, a Burp extension, a detection-as-code library — reads as senior engineering [5].
• AI security is the 2026 surface: NIST AI RMF (with the GenAI Profile), OWASP LLM Top 10 (2025), and MITRE ATLAS are the canonical references; naming them on a resume in 2026 is a leading-edge signal at frontier-AI and AI-adjacent companies [11][16][17].

How Security ATS Screens Work

Security engineering hiring runs through the same ATS engines as software engineering hiring — Greenhouse, Lever, Workday, Ashby, SmartRecruiters, iCIMS — but the keyword matrix is wider, more layered, and more vocabulary-sensitive than backend hiring. A backend engineer might hit 60% of expected keywords with a strong Java + Kafka + PostgreSQL surface. A security engineer has to hit signal across AppSec, offensive, defensive, IAM, cloud security, compliance, programming, and AI security. Density matters more than depth in any single area, and named standards (NIST SP 800-53, ISO 27001 Annex A, OWASP ASVS L2) and named techniques (MITRE ATT&CK T1190, CWE-89, CVE-YYYY-NNNNN) matter more than category names [1][4][8].

Engine-specific behavior for security hiring:

Greenhouse (Stripe, Notion, Shopify, Robinhood, most Series-B-and-up startups) supports semantic matching, so "shipped SAST coverage" registers as related to "rolled out CodeQL" or "introduced Semgrep gates in CI" [1]. Greenhouse weights experience-bullet keywords higher than skills-section keywords for security roles — bullets carry the load. The recruiter UI lets the filter "OWASP within last 2 years" or "incident response within last 18 months" return only candidates whose recent role used the surface [1].

Lever (Eventbrite, parts of Lyft, Cruise) emphasizes recency for security roles. Lever recruiters routinely filter on "led security incident within last 2 years" — a candidate who ran point on a Sev-1 incident 3 years ago and has been on a non-on-call team since needs to surface recent defensive work explicitly, even if it is detection engineering or red-team rather than IR [2].

Workday (Disney, Salesforce, Adobe, large-enterprise security hires) is the strictest exact-match parser. Workday filters often require the literal phrase "Security Engineer," "Application Security Engineer," "Product Security Engineer," "Detection Engineer," or "Cloud Security Engineer" in the title block. A candidate titled "Software Engineer" who has been operating as an AppSec engineer for two years gets filtered out unless the resume clarifies the de-facto work [3]. Fix: write the company entry as "Software Engineer (Product Security Pod — primary on-call for AppSec)."

Ashby (Notion, Linear, Ramp, Anthropic, most modern AI-era startups) is the friendliest ATS for nuanced security resumes because its LLM-based scoring reads bullets and infers level from context. A bullet that describes "owned the threat model for the platform-data API, drove the SAML-to-OIDC migration with the identity team, and reduced false-positive rate on the SAST gate from 23% to 6% over 90 days" registers as senior security signal even if the title is ambiguous [4]. Ashby is where SWE-to-Security and SOC-to-Security transitions get the fairest read.

SmartRecruiters (Visa, Atlassian) and iCIMS lean stricter and more exact-match. Both score the title block heavily for security searches and both penalize creative titles ("Defender," "Cyber Engineer") for not matching canonical Security Engineer strings. Taleo (legacy Oracle) is the strictest; write defensively with explicit phrases like "application security," "incident response," "security operations center," "vulnerability management," "identity and access management" [3].

Tier 1 — Application Security

These are the non-negotiables for nearly every modern Application Security or Product Security engineering posting in 2026, across LinkedIn, Built In, and direct careers pages at Stripe, Cloudflare, Datadog, Notion, Linear, GitHub, and Anthropic [5][9][10].

OWASP Top 10 2021 — Always include the literal phrase "OWASP Top 10 2021" plus the categories you've worked on by ID: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable and Outdated Components, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures, A09 Security Logging and Monitoring Failures, A10 Server-Side Request Forgery [9]. Pattern: "drove the org's A01 Broken Access Control remediation across 22 services — shipped attribute-based access control via OPA and closed 38 access-control findings to zero P0 over two quarters."

OWASP ASVS / SAMM — Verification and maturity frameworks. ASVS levels (L1 / L2 / L3) and SAMM business functions (Governance, Design, Implementation, Verification, Operations) read as senior signal [10]. Pattern: "shipped the platform-services portfolio to ASVS L2 across 14 services with documented controls and CI-enforced gates; drove SAMM verification-domain maturity from 1.5 to 2.5 over 18 months."

SAST — CodeQL / Semgrep / SonarQube. Pattern: "rolled out CodeQL across 320 repos with custom queries for the team's authorization patterns; shipped Semgrep CI gates with a 64-rule custom pack mapped to OWASP Top 10 categories; drove SonarQube quality-gate enforcement on the Java monorepo with security-hotspot triage SLAs." Naming rule packs and custom-rule authorship is senior signal.

DAST — Burp Suite / OWASP ZAP / Nuclei. Pattern: "owned Burp Suite Enterprise covering 22 production-equivalent staging targets with weekly authenticated crawls; wrote 18 Burp extensions and Nuclei templates for the platform's auth-quirk patterns; ran ZAP in CI for the API surface with baseline + active-scan modes."

SCA / dependency security — Snyk / Dependabot / Renovate / OSV-Scanner. Pattern: "owned the org's Snyk posture across 320 repos with severity-driven SLA tracking; drove Dependabot adoption across the JavaScript and Python monorepos with auto-merge gates on patch versions and policy-driven minor/major review."

Threat modeling — STRIDE / PASTA / attack trees. Pattern: "led 14 STRIDE threat models for the platform-data architecture with documented mitigations tracked through implementation; drove the org's threat-modeling cadence (per-major-feature) using OWASP Threat Dragon for documented diagrams and traceability" [9].

Fuzzing — libFuzzer / AFL++ / OSS-Fuzz / cargo-fuzz. Pattern: "shipped 12 libFuzzer harnesses for the platform's protocol-parsing surface with OSS-Fuzz integration; wrote cargo-fuzz harnesses for the Rust crypto crate with regression-corpus tracking."

Secure code review. Pattern: "led 60+ formal security reviews per quarter across the platform-services portfolio — drove the org's pre-launch security-review cadence into the standard product-launch checklist."

Tier 1 — Offensive Security

Offensive security fluency is Tier-1 for red team, pentest, and senior product security roles. The expectation in 2026 is named MITRE ATT&CK techniques, named tooling, and demonstrable hands-on output [5][8][15].

MITRE ATT&CK — Default attacker-technique taxonomy. Reference techniques by ID: T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), T1566 (Phishing), T1556 (Modify Authentication Process), T1098 (Account Manipulation), T1110 (Brute Force), T1003 (OS Credential Dumping). Pattern: "authored 47 detection rules in Sigma DSL mapped to MITRE ATT&CK techniques T1078 / T1190 / T1556 — reduced false-positive rate from 23% to 6% over 90 days through corpus-driven tuning" [8]. Naming techniques by ID is a Tier-1 senior signal. The MITRE Common Weakness Enumeration (CWE) list is the matching design-flaw vocabulary — name CWE-89 (SQL Injection), CWE-79 (XSS), CWE-918 (SSRF), CWE-639 (IDOR via Authorization Bypass), CWE-611 (XXE), CWE-416 (Use After Free) by ID [8].

Penetration testing — internal / external / web / mobile / cloud / AD. Pattern: "led 14 internal penetration tests across the platform-services portfolio over 12 months; owned the Active Directory pentest cadence using BloodHound for attack-path analysis and Impacket for SMB / Kerberos abuse scenarios."

Red team / purple team. Pattern: "drove the platform's first internal red-team engagement (5 operators, 6-week scope, 3 named objectives) with 22 documented findings and validated detection coverage gaps; ran the quarterly purple-team cadence pairing detection engineers with red-team operators against the top 14 attack scenarios."

OSCP / OSWE / CRTP / GPEN / GXPN — Hands-on offensive certifications [15]. Pattern: "OSCP and OSWE — applied OSWE methodology to the platform's API authorization review surfacing 4 IDOR patterns across the user-services tier." OSCP and OSWE are recruiter-recognized; CRTP for AD-specific work. Vendor cert dumping without an applied-context bullet reads junior.

Exploit development — buffer overflow / use-after-free / heap / kernel. Pattern: "developed a working PoC for CVE-YYYY-NNNNN affecting the platform's binary-protocol parser; contributed 2 advisories to vendor disclosure programs for use-after-free vulnerabilities (CWE-416) in third-party native dependencies."

C2 frameworks — Cobalt Strike / Sliver / Mythic / Metasploit. Pattern: "operated Sliver in the internal red-team estate with custom HTTP-listener profiles; ran Cobalt Strike-based engagements with named objectives across the platform's perimeter."

Bug bounty — HackerOne / Bugcrowd. Pattern: "earned 14 valid bounties across HackerOne programs covering authorization, IDOR, and SSRF classes." Don't list a HackerOne reputation score without naming the volume and class of findings.

Tier 1 — Defensive Security and Detection Engineering

Defensive security fluency is Tier-1 for SOC, detection engineering, incident response, and platform-security roles. The vocabulary is sourced from NIST SP 800-61 (Computer Security Incident Handling Guide) and MITRE ATT&CK [14][8].

SIEM — Splunk / Sentinel / Chronicle / Elastic / Panther. Pattern: "owned Splunk Enterprise Security across 22 sourcetypes with 60+ correlation searches mapped to MITRE ATT&CK; ran Microsoft Sentinel with KQL-based detections for the M365 / Entra surface; operated Panther with detection-as-code in Python with peer-reviewed PRs for every new rule."

EDR — CrowdStrike / SentinelOne / Microsoft Defender / Carbon Black. Pattern: "operated CrowdStrike Falcon across the org's 320-host fleet with custom IOA rules and ATT&CK-mapped behavioral telemetry; wrote 22 SentinelOne STAR rules for the platform's bespoke developer-laptop posture."

Detection engineering — Sigma / KQL / SPL / detection-as-code — Senior detection signal. Pattern: "authored 47 detection rules in Sigma DSL with peer-review CI gate via PyTest-Sigma converters; mapped 100% of rules to MITRE ATT&CK techniques; owned the Splunk SPL detection corpus across 22 sourcetypes with version-controlled detection-as-code and unit-test coverage on the alert-firing surface" [8].

Incident response — NIST SP 800-61 [14]. Pattern: "drove 14 Sev-1 incidents as incident commander across 18 months following the NIST SP 800-61 lifecycle (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident); introduced ICS-style incident command (IC, scribe, comms, security lead) for the platform team."

Threat hunting. Pattern: "ran 12 named threat hunts per quarter across the platform's auth-surface and lateral-movement scenarios — surfaced 4 latent misconfigurations and 2 unattributed credential-stuffing campaigns; owned the hunting backlog with TTP-driven hypotheses tied to MITRE ATT&CK technique coverage."

Forensics — Volatility / Velociraptor / KAPE / FTK. Pattern: "ran Velociraptor across the org's 320-host estate for fleet-wide IR data collection with named hunts for credential-access and lateral-movement patterns; wrote Volatility 3 plugins for the bespoke Linux memory-acquisition workflow."

SOAR — Tines / Torq / Cortex XSOAR. Pattern: "owned 22 SOAR playbooks in Tines automating the L1 triage surface — reduced mean-time-to-acknowledgement from 14 minutes to 90 seconds across the alert backlog."

CISA KEV / CVE / vulnerability management. Pattern: "drove the platform's CISA Known Exploited Vulnerabilities remediation cadence with 100% closure within the BOD 22-01 timelines across 22 services; owned the per-severity remediation SLA enforcement on internal tickets" [18].

MITRE D3FEND — Defensive-technique taxonomy. Naming D3FEND techniques (D3-DA Detect / D3-IT Isolate / D3-EV Evict) reads as senior detection-engineering signal in 2026 [8].

Tier 1 — Identity and Access Management

Identity is the new perimeter [12]. IAM fluency is Tier-1 for senior security roles at SaaS, infrastructure, and cloud-native companies, and weighted heavily by recruiters at identity-aware companies (Okta, Auth0, Ping Identity, Cloudflare, AWS) and at every infra team running multi-tenant workloads [12][13].

Zero Trust — NIST SP 800-207 [12]. Pattern: "designed and implemented the platform's Zero Trust posture per NIST SP 800-207 — replaced legacy VPN with Cloudflare Access for 320 employees and per-service mTLS via service mesh; drove the BeyondCorp-style migration with device-posture, identity-aware proxies, and continuous-evaluation enforcement."

OAuth 2.1 / OIDC [13]. Pattern: "owned the platform's OAuth 2.1 / OIDC posture across 60+ internal services — migrated 22 legacy OAuth 2.0 implicit-flow clients to authorization-code-with-PKCE per the OAuth 2.1 BCP; implemented OIDC federation with Okta as the IdP and per-service JWT validation with JWKS rotation."

SAML 2.0 / SSO — Enterprise federation. Pattern: "operated SAML 2.0 federation with Okta for 60+ internal services; audited the platform's SAML signature-validation behavior against XSW (XML Signature Wrapping) attacks and enforced canonical SAML response validation."

FIDO2 / WebAuthn / passkeys — Phishing-resistant authentication. Pattern: "shipped passkey support for the 14M-user consumer surface using WebAuthn with Resident Keys; drove the org's YubiKey 5 + WebAuthn rollout for all employees with phishing-resistant MFA enforcement."

MFA / TOTP / push-based auth — Authentication factors. Pattern: "migrated TOTP-based MFA to FIDO2 / WebAuthn for the high-risk admin surface, closing 4 known phishing-bypass paths in the legacy push-based flow."

SCIM / lifecycle automation — Pattern: "owned SCIM 2.0 provisioning across 22 SaaS targets — drove the joiner / mover / leaver automation cadence reducing manual provisioning from 3 days to 14 minutes."

Authorization — RBAC / ABAC / ReBAC / OPA / Cedar. Pattern: "designed the platform's attribute-based authorization model with OPA Gatekeeper at the cluster boundary and OPA embedded in the API gateway — replaced 22 hand-rolled RBAC implementations with a unified policy decision point; implemented Google Zanzibar-style relationship-based access control via SpiceDB for the tenant-scoped collaboration surface."

Secrets management — HashiCorp Vault / AWS Secrets Manager / 1Password / Doppler. Pattern: "owned the platform's HashiCorp Vault estate across 4 environments with dynamic-secret generation for the database tier and PKI-as-a-service for the internal CA; drove the migration from .env-based secrets to Vault-backed dynamic credentials across 22 services."

Tier 1 — Cloud Security (with Service Specificity)

Naming the cloud isn't enough; senior security screens want service specificity, including security-specific services. The pattern is platform + 4–6 named security services per platform [5][9].

AWS Security — Services worth naming: GuardDuty, Security Hub, Inspector, Macie, Detective, IAM Access Analyzer, IAM Identity Center, Config, CloudTrail, KMS, Secrets Manager, WAF, Shield, Network Firewall, VPC Flow Logs, Organizations, Control Tower, SCPs (Service Control Policies). Pattern: "operated multi-account AWS security posture spanning GuardDuty, Security Hub (CIS / PCI / NIST 800-53 standards enabled), Config, CloudTrail with org-wide trails, IAM Access Analyzer, and SCPs governing 14 Organizational Units across AWS Organizations and Control Tower."

GCP Security — Services: Security Command Center, Cloud Armor, Cloud KMS, IAM Conditions, VPC Service Controls, Binary Authorization, Workload Identity Federation, Chronicle, BeyondCorp Enterprise. Pattern: "ran Security Command Center Enterprise across 3 GCP projects with VPC Service Controls perimeters around the data tier and Binary Authorization gates on production GKE clusters."

Azure Security — Services: Defender for Cloud, Defender for Endpoint, Sentinel, Entra ID (formerly Azure AD), Conditional Access, Azure Key Vault, Azure Policy, Privileged Identity Management (PIM), Application Gateway WAF. Pattern: "operated Defender for Cloud across 6 subscriptions with Secure Score-driven remediation, Sentinel as the org's primary SIEM, and PIM-gated production access for 60+ engineers."

CSPM / CWPP / CNAPP — Cloud-security platforms (Wiz, Prisma Cloud, Orca, Lacework). Pattern: "operated Wiz across the org's multi-cloud estate with custom queries for the platform's network-egress posture and Toxic Combination remediation."

IaC scanning — Checkov / tfsec / Trivy / KICS — Pre-deploy security. Pattern: "shipped Checkov in CI across the platform's Terraform monorepo (180+ modules) with 64-rule custom policy pack mapped to CIS AWS Foundations Benchmark."

Container security — Trivy / Grype / Aqua / Sysdig / Falco — Pattern: "owned Trivy in CI with severity-driven gates and SBOM emission for the platform's 320-image registry; operated Falco runtime monitoring across the 14-cluster Kubernetes fleet with custom rules for crypto-miner detection and post-exploitation behaviors."

Cloudflare — Edge security. Pattern: "deployed Cloudflare WAF custom rule sets for the platform's API surface and operated Cloudflare Zero Trust (Access + Tunnel + Gateway) for the team's SSH and internal-services posture."

Tier 1 — Compliance and Frameworks

Compliance fluency is Tier-1 for senior security engineering, especially at companies pursuing enterprise sales (SOC 2, ISO 27001), public-sector contracts (FedRAMP, FISMA), or regulated workloads (PCI DSS, HIPAA, GDPR).

NIST CSF 2.0 — Cybersecurity Framework, expanded in 2024 to include the Govern function alongside Identify, Protect, Detect, Respond, and Recover. Pattern: "drove the platform's NIST CSF 2.0 alignment across the six functions with documented Profiles for the current and target state, including the new Govern-function rollout (Risk Management Strategy, Cybersecurity Supply Chain Risk Management program)."

NIST SP 800-53 — Federal security controls catalog. Pattern: "implemented NIST SP 800-53 Rev. 5 Moderate baseline controls for the FedRAMP-aligned tenant — drove documented control narratives across the AC, AU, CM, and IR control families."

NIST SSDF (SP 800-218) — Secure Software Development Framework. Pattern: "drove the platform's SSDF alignment with documented practices across PO, PS, PW, and RV — referenced in the SBOM-attestation pipeline and the EO 14028 self-attestation submission."

SOC 2 Type II — Service-organization audit. Pattern: "owned the platform's SOC 2 Type II audit cycle across the five Trust Services Criteria for 3 consecutive annual cycles with zero qualified findings; drove evidence collection with Vanta / Drata integrations for continuous-monitoring readiness."

ISO 27001 / 27017 / 27018 — International security standards. Pattern: "drove the org's ISO 27001:2022 certification with the 93-control Annex A surface and the documented ISMS cadence — extended with ISO 27017 for cloud and ISO 27018 for PII-in-cloud handling."

FedRAMP / FISMA — U.S. federal authorization. Pattern: "drove the platform's FedRAMP Moderate ATO preparation with the NIST 800-53 Rev. 5 Moderate baseline, the SSP (System Security Plan), and the 3PAO audit cycle."

PCI DSS 4.0 — Card-payment data security. Pattern: "owned the platform's PCI DSS 4.0 scope across the 12 Requirement domains with annual ROC attestation through a QSA; drove the migration from 3.2.1 to 4.0 with the new Customized Approach for the tokenization tier."

HIPAA / GDPR / DPF — Healthcare and privacy regulations. Pattern: "owned the platform's GDPR Article 32 technical-and-organizational-measures documentation and DSR (Data Subject Request) automation across 22 internal data systems; implemented EU-US Data Privacy Framework controls for transatlantic data flows; drove HIPAA Security Rule alignment with documented Administrative, Physical, and Technical Safeguards."

Tier 1 — Systems Programming for Security Engineers

Senior security engineering roles in 2026 expect production code, not just shell glue or YAML. The Tier-1 languages for security engineers are Python, Go, and Rust, in roughly that order of demand for AppSec and detection engineering, with C / C++ for low-level offensive work [5].

Python — Default security-tooling language. Patterns: "wrote 22 internal security tools in Python (FastAPI for the security-platform API, asyncio for the parallel scanning surface)," "owned the platform's Python-based detection-as-code framework with PyTest coverage," "wrote Burp Suite Pro extensions via the Burp Java extender API." Python alone is too generic for senior security roles; pair with named frameworks and context beyond shell scripting.

Go — Senior infrastructure-security language. Patterns: "wrote 4 Kubernetes admission webhooks in Go using controller-runtime for pod-security and image-provenance gates," "shipped Go-based CSPM scanner with cloud-API integrations across AWS and GCP," "owned the Go-based runtime-security agent (~40K lines) deployed across the platform's 320-host fleet."

Rust — Growing as memory-safe security language. Patterns: "ported the platform's PII-redaction sidecar from Go to Rust for predictable tail-latency," "wrote a Rust-based BPF tool for syscall-tracing," "contributed to the rustls TLS library for the platform's mTLS posture." Memory safety is a Tier-1 industry trend in 2024–2026, and Rust fluency reads as forward-leaning senior signal.

C / C++ — Low-level offensive and exploit development. Pattern: "developed working PoC in C for CVE-YYYY-NNNNN; contributed advisories for use-after-free vulnerabilities (CWE-416)." C / C++ on the resume should be paired with named exploit-class work or kernel-level offensive context; without that, it reads as legacy.

Bash / shell / PowerShell — Specificity matters: "POSIX-compliant Bash with strict error handling (set -euo pipefail)" reads as senior; "Bash scripting" alone reads as junior. PowerShell with named modules (PSReadLine, Microsoft.Graph, Az) and named offensive context (PowerSploit, Empire in red-team-only contexts) reads as senior in Windows-heavy security work.

SQL — Database security and data-exfil-detection fluency. Pattern: "wrote SQL hunting queries against the org's central data-warehouse audit tables surfacing anomalous access patterns; tuned production query plans for the platform's auth-audit table cutting p99 read latency from 280ms to 35ms."

Tier 1 — AI Security (Emerging 2026 Surface)

AI security is the leading-edge surface in 2026 — frontier-AI labs, AI-adjacent SaaS, and any company shipping LLM features now hire for it explicitly. The canonical references are the NIST AI Risk Management Framework, the OWASP Top 10 for LLM Applications, and MITRE ATLAS [16][11][17].

NIST AI RMF (AI 100-1) plus Generative AI Profile (AI 600-1) — Risk management framework with the GenAI Profile released July 2024 [16]. Pattern: "drove the platform's NIST AI RMF alignment across the four core functions (Govern, Map, Measure, Manage) with the Generative AI Profile applied to the org's customer-facing LLM features — documented risk-mapping for the 12 GenAI-specific risks including data leakage, prompt injection, hallucination, and harmful content generation."

OWASP LLM Top 10 (2025) — LLM application security risks [11]. Reference categories by ID: LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM03 Supply Chain, LLM04 Data and Model Poisoning, LLM05 Improper Output Handling, LLM06 Excessive Agency, LLM07 System Prompt Leakage, LLM08 Vector and Embedding Weaknesses, LLM09 Misinformation, LLM10 Unbounded Consumption. Pattern: "drove the platform's LLM01 Prompt Injection defenses across the customer-facing chat surface — implemented input-classifier guardrails, output filtering, and constrained-tool-use patterns mapped to OWASP LLM Top 10 2025."

MITRE ATLAS — Adversarial Threat Landscape for AI Systems [17]. Pattern: "ran 14 ATLAS-mapped adversarial exercises against the platform's classification and embedding models — surfaced 4 model-extraction patterns and 2 evasion patterns documented in the org's AI-security runbook." MITRE ATLAS techniques (AML.T0051 LLM Prompt Injection, AML.T0024 Exfiltration via ML Inference API, AML.T0048 Erode Model Integrity) read as Tier-1 senior signal in AI-adjacent roles.

Red-teaming LLMs / model evals / jailbreaks — Patterns: "led the org's first internal red-team engagement against the platform's customer-facing LLM with named objectives and 22 documented findings spanning prompt injection, system-prompt leakage, and tool-use abuse," "owned the platform's continuous LLM evaluation harness with seeded adversarial prompts and per-release regression scoring."

AI governance — EU AI Act / ISO 42001 / SOC 2 + AI — Emerging compliance surface. Patterns: "drove the platform's EU AI Act readiness for the high-risk AI system classification," "led the org's ISO 42001 (AI Management System) gap assessment with documented AI lifecycle controls."

Counter-List — Keywords That Backfire on Security Engineer Resumes

This is the part most security resume advice misses. Security engineering resumes can be sunk by anti-keywords that signal junior framing, hobbyist orientation, or career-mismatch problems [5][15].

"Passion for hacking" / "ethical hacker" — Anti-keyword for senior roles. "Hacker" framing reads junior to recruiters at staff-level security teams; senior screens want "security engineer," "application security engineer," "red team operator," "detection engineer." Replace with named outcomes.

"Self-taught only" without a portfolio — Self-taught is fine when paired with verifiable output: a published Burp extension, a public Semgrep rule pack, a CVE credit, a HackerOne reputation, an OSCP. "Self-taught" alone reads as unvetted.

"Kali Linux user" / "familiar with Metasploit" — Naming the distro or the tool without naming the work reads junior. Replace with the engagement context: "Operated Sliver C2 across 6-week internal red-team engagement against named objectives."

"Security awareness training delivered" on an engineering-track resume — Awareness training is a security-program function, not a security-engineering function. Surfacing it on a senior security-engineering resume reads as career-mismatched unless contextualized as part of SAMM verification-domain work.

"CISSP-only" without engineering output — CISSP is a respected breadth credential, but without paired hands-on output (a SAST rollout, a detection corpus, an IR-led incident, a threat-modeling cadence), CISSP alone reads as management-track. Pair with named technical work or omit from the headline.

"Passionate about security" — Generic-passion phrasing reads as filler on senior resumes; specificity beats sentiment. Replace with named security work and metrics.

"Helped the team" / "Assisted with" — Anti-ownership verbs. Senior security resumes work in implicit-ownership voice. Replace with "Co-led the SAML-to-OIDC migration with the identity team across 60 internal services."

"Familiar with" / "Exposure to" / "Worked alongside" — Distance-creating phrasings. "Familiar with OWASP Top 10" reads as junior even from a 5-year backend engineer. Either name the work specifically or omit the surface.

Long tools list (30+ items) — Security resumes that include a 40-item flat Tools section trigger spam-detection on Greenhouse and Ashby and read as resume-stuffing [1][4]. Group by category and put depth in experience bullets.

Worked Examples — Security Engineer Keywords in Experience Bullets

Example 1 — Detection engineering and incident response

Before (C-grade): Wrote security policies and helped during incidents.

After (A-grade): Authored 47 detection rules in Sigma DSL mapped to MITRE ATT&CK techniques T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), and T1556 (Modify Authentication Process) — reduced false-positive rate from 23% to 6% over 90 days through corpus-driven tuning. Drove 14 Sev-1 incidents as incident commander across 18 months following the NIST SP 800-61 lifecycle, authored 22 blameless postmortems, and introduced sustainable-on-call policy capping interrupts at <2 per shift via SLO-driven alerting.

Keywords hit: Detection rules, Sigma DSL, MITRE ATT&CK, T1078, T1190, T1556, false-positive rate, Sev-1, incident commander, NIST SP 800-61, blameless postmortems.

Example 2 — Application security and SAST

Before: Worked with developers on secure coding.

After: Rolled out CodeQL across 320 repos in the platform org with 18 custom queries for the team's authorization patterns — closed 38 P0 / P1 findings to zero across 22 services in 4 months. Shipped Semgrep CI gates with a 64-rule custom pack mapped to OWASP Top 10 2021 categories A01, A03, and A07, and drove the org's ASVS L2 attainment across the platform-services portfolio with documented controls and PR-blocking gates.

Keywords hit: CodeQL, custom queries, authorization, Semgrep, OWASP Top 10 2021, A01, A03, A07, ASVS L2.

Example 3 — IAM and Zero Trust

Before: Set up SSO for the company.

After: Designed and implemented the platform's Zero Trust posture per NIST SP 800-207 — replaced legacy VPN with Cloudflare Access for 320 employees and per-service mTLS via service mesh, migrated 22 legacy OAuth 2.0 implicit-flow clients to authorization-code-with-PKCE per the OAuth 2.1 BCP, and shipped passkey support (FIDO2 / WebAuthn) for the org's hardware-security-key rollout with phishing-resistant MFA enforcement.

Keywords hit: Zero Trust, NIST SP 800-207, Cloudflare Access, mTLS, OAuth 2.1, PKCE, FIDO2, WebAuthn, phishing-resistant MFA.

Example 4 — Cloud security and CSPM

Before: Used AWS security services.

After: Operated multi-account AWS security posture spanning GuardDuty, Security Hub (CIS / PCI / NIST 800-53 standards enabled), Config, CloudTrail with org-wide trails to a centralized log archive, IAM Access Analyzer, and SCPs governing 14 Organizational Units across AWS Organizations and Control Tower. Owned Wiz across the org's multi-cloud estate with custom queries for the platform's network-egress posture and Toxic Combination remediation. Shipped Checkov in CI across the platform's Terraform monorepo (180+ modules) with 64-rule custom policy pack mapped to CIS AWS Foundations Benchmark.

Keywords hit: AWS, GuardDuty, Security Hub, CloudTrail, IAM Access Analyzer, SCPs, Organizations, Control Tower, Wiz, multi-cloud, Checkov, Terraform, CIS Foundations.

Example 5 — Offensive security and red team

Before: Did some penetration testing.

After: Led 14 internal penetration tests across the platform-services portfolio over 12 months, including the org's first internal red-team engagement (5 operators, 6-week scope, 3 named objectives). Surfaced 6 IDOR patterns (CWE-639) across the user-services API tier through manual code review and Burp-driven authorization fuzzing. Operated Sliver C2 with custom HTTP-listener profiles and ran the quarterly purple-team cadence pairing detection engineers with red-team operators against the platform's top 14 attack scenarios mapped to MITRE ATT&CK.

Keywords hit: Penetration tests, red team, IDOR, CWE-639, Burp, authorization fuzzing, Sliver, purple team, MITRE ATT&CK.

Example 6 — AI security and LLM red-teaming

Before: Worked on AI safety.

After: Drove the platform's NIST AI RMF (AI 100-1) alignment with the Generative AI Profile applied to the customer-facing LLM features — documented risk mapping for the 12 GenAI-specific risks across the four core functions (Govern, Map, Measure, Manage). Led the org's first internal red-team engagement against the platform's LLM with named objectives and 22 documented findings spanning OWASP LLM Top 10 2025 categories (LLM01 Prompt Injection, LLM07 System Prompt Leakage, LLM06 Excessive Agency) mapped to MITRE ATLAS techniques AML.T0051 and AML.T0048.

Keywords hit: NIST AI RMF, Generative AI Profile, LLM red team, OWASP LLM Top 10 2025, LLM01, LLM07, LLM06, MITRE ATLAS, AML.T0051, AML.T0048.

Density and Placement Rules for Security Engineers

1. Professional Summary: Pack 8–10 Tier-1 security keywords across the eight signal classes. Example: "Senior Security Engineer with 7 years operating product-security and detection-engineering programs — owned OWASP Top 10 remediation across 22 services, NIST SP 800-207 Zero Trust rollout for the platform, and the SOC 2 Type II audit cycle. Strengths: Python and Go, AWS security (GuardDuty, Security Hub, IAM Access Analyzer), detection engineering (Sigma, Splunk SPL, MITRE ATT&CK mapping), incident command (NIST SP 800-61), and AI security (NIST AI RMF, OWASP LLM Top 10)."
2. Skills section: Group by category, never flat. Recommended 6–8 categories, 30–48 items total: Application Security (OWASP Top 10, ASVS, SAMM, CodeQL, Semgrep, Burp), Offensive (MITRE ATT&CK, OSCP, OSWE, Burp, Sliver, BloodHound), Defensive (Splunk, Sigma, KQL, CrowdStrike, NIST 800-61), IAM (NIST 800-207, OAuth 2.1, OIDC, SAML, FIDO2, OPA), Cloud Security (AWS GuardDuty/Security Hub/IAM, GCP SCC, Wiz, Checkov, Falco), Compliance (NIST CSF 2.0, SP 800-53, SOC 2, ISO 27001, PCI DSS, FedRAMP), Programming (Python, Go, Rust, Bash, SQL), AI Security (NIST AI RMF, OWASP LLM Top 10, MITRE ATLAS).
3. Experience bullets: Each recent bullet should pair an action verb with a quantified outcome. Aim for 1–2 Tier-1 security keywords per bullet, embedded naturally. Don't repeat the same keyword across more than 2–3 bullets. Reference standards by ID, not abstract names: "OWASP Top 10 2021 A01" rather than "broken access control issues."
4. Pick depth over breadth on cloud security: Strong AWS security surface plus a credible GCP or Azure mention beats shallow surface across all three. Recruiters at AWS-shop companies prefer deep AWS-security depth over wide-cloud-with-no-depth.
5. Surface incident-response status explicitly: "Primary on-call (24-month tenure)," "Incident commander on 14 Sev-1 incidents," "Detection-engineering rotation across 4 SOC analysts" — name your relationship to production security explicitly.

Density rule of thumb for security: Tier-1 AppSec / offensive / defensive / IAM / cloud-security / compliance / programming / AI-security keywords each appear 3–5 times across the resume. Total Tier-1 keyword surface: roughly 50–70 distinct terms across a senior security resume, embedded in bullets, not flattened in a Skills dump.

Anti-Patterns That Fail Security Screens

• The "SOC analyst with some AppSec exposure" resume: 80% alert-triage and ticket-closure work, 20% AppSec mention. Reads as L1/L2 SOC, not as senior security engineer. Senior+ security screens filter against this aggressively when the role is product-security or detection engineering [5].
• No incident-response evidence: "Worked on security team for 3 years" without naming pager, rotation, incident response, or NIST SP 800-61 lifecycle. Reads as did-not-actually-respond-to-incidents. Recruiters cross-check at interview, and the gap shows fast.
• Cloud-without-services: "AWS, GCP, Azure security" in a bullet without naming any specific service. Reads as resume-stuffing. Specificity is the senior signal — name GuardDuty, Security Hub, IAM Access Analyzer, SCPs at minimum [1].
• Tools dump: 40-item flat Skills section. Triggers Greenhouse and Ashby spam-detection [1][4]. Group by category and put depth in experience bullets.
• "Familiar with" / "exposure to": Distance-creating phrasings. Senior security work is owned, not glanced at.
• No standards / framework mention: A Senior+ security resume that doesn't name OWASP Top 10, NIST CSF 2.0, NIST SP 800-53, MITRE ATT&CK, ISO 27001, or SOC 2 reads as senior-without-framework-fluency, which is rare and suspect at staff-level roles.
• OWASP / MITRE vocabulary missing: A security resume without OWASP Top 10 categories or MITRE ATT&CK technique IDs reads as not-fluent-in-security-canon. The OWASP and MITRE vocabulary is Tier-1 keyword surface [8][9].
• Title inflation: Calling a generalist IT-security role "Application Security Engineer" when the actual scope was vulnerability-management-and-policy-writing. Senior interviewers cross-check on threat-modeling cadence, SAST rollouts, and CVE-disclosure handling — and the inflation surfaces fast.

FAQ

I'm a SOC analyst applying to security engineering roles — how do I write this resume?

Surface every engineering-adjacent thing you've done from SOC work, framed in security-engineering-resume vocabulary. Detection-engineering contributions (even one Sigma rule), SOAR-playbook authorship, runbook ownership, threat-hunting work, post-incident automation, scripting (Python / KQL / SPL), and any code you've shipped. The OWASP Top 10 2021, NIST SP 800-61, MITRE ATT&CK, and the OWASP LLM Top 10 are the canonical references for the vocabulary you should mirror [9][14][8][11]. Then run the resume through Jobscan or Resume Worded against a Security Engineer JD; aim for 70%+ match by reframing bullets to mirror the JD's engineering phrasing rather than the SOC-ticketing phrasing.

Should I list every CVE I've touched on a security engineer resume?

No. List CVEs where you have meaningful named output: a credit on the CVE record, a published advisory, a working PoC, or a remediation you led across the org. Listing 22 CVE IDs without context reads as resume-stuffing and gets probed at interview ("Walk me through CVE-YYYY-NNNNN — what was the root cause, the exploit chain, and your remediation?"). The honest pattern is 3–6 named CVEs with a sentence of context each, plus a brief "additional remediation" line if you've handled but not led more.

How do I handle a "Cybersecurity Analyst" title when applying to Security Engineer roles?

Most modern security recruiters read "Cybersecurity Analyst" as overlapping with but distinct from Security Engineer: Analyst emphasizes alert-triage, GRC support, and policy work; Engineer emphasizes code, system design, and ownership of security systems. If your Analyst work has been alert-triage with no engineering output, frame the resume around any engineering-adjacent surface honestly — Sigma rules authored, Python tooling shipped, SOAR playbooks built, threat models led — and let the engineering work carry the bullets. If your Analyst work was effectively engineering (detection-as-code authorship, incident-automation development), use the resume bullets to make that explicit and consider a one-line subtitle in the role: "Cybersecurity Analyst (detection engineering, Python tooling, primary on-call)." Strict-match Workday and Taleo screens will weight the title; Ashby and Greenhouse will read the bullets [3][4].

How do I show incident-response experience without overstating it?

Name the rotation structure, the team-pool size, the duration, and your role (incident commander, scribe, comms, security lead, subject-matter expert). Pattern: "Secondary on-call (4-engineer pool, 2-week rotation) for 14 months on the platform-security team — incident commander on 4 Sev-1 incidents and security-lead on 8 cross-team responses." If your IR has been incident-participation rather than rostered IC, frame it that way: "Participated in 18 incident responses as the application-security subject-matter expert across 12 months, including 4 as incident commander." Either is valid; faking primary-IC status when you were not lead fails interview.

Do I need to use MITRE ATT&CK technique IDs even if my company didn't formally map to them?

Yes, mostly. The MITRE ATT&CK vocabulary (T1078 Valid Accounts, T1190 Exploit Public-Facing Application, T1556 Modify Authentication Process) is the canonical detection-engineering keyword surface that recruiters scan for [8]. Even if your company called these things by different names internally — "lateral-movement detection," "auth-abuse signals," "exploitation patterns" — translate the internal vocabulary to the canonical ATT&CK technique IDs on your resume. The recruiter scan will miss the internal jargon. Senior interviewers will accept the translation when you can name both the canonical technique and the internal practice.

What about salary data for security engineering roles?

The Bureau of Labor Statistics tracks Information Security Analysts under SOC 15-1212 with a May 2024 median annual wage of $124,910, projected 29 percent employment growth from 2024 to 2034 (much faster than average), and roughly 16,000 openings projected per year over the decade [6]. The BLS figure is broad — it averages across regions, seniority levels, and company sizes. levels.fyi tracks Security Engineer / Application Security Engineer / Detection Engineer compensation separately at named companies (Google, Meta, Stripe, Cloudflare, Datadog, Anthropic) and reports total compensation above the BLS figure at senior+ levels at top-tier infrastructure-heavy tech companies [7]. For honest salary expectations, anchor on BLS for general roles and on levels.fyi by company and level for top-tier comp.

How many years of experience do I need to claim "Staff Security Engineer" titles?

The honest range is 7+ years of sustained security engineering work, with at least 3 years of leading cross-team programs (a SAST rollout across the org, a Zero Trust migration, an IR overhaul, a SOC 2 / ISO 27001 audit cycle), ownership of a security framework (NIST CSF 2.0, OWASP SAMM, NIST AI RMF), and incident-command experience on at least 5 Sev-1 incidents. Below that, "Staff Security Engineer" reads as inflated even if a small company gave you the title. Above 10 years, "Staff" is the floor; principal / senior staff / security architect becomes the next step.

How do I show AI security fluency in 2026 if my company hasn't fully adopted it yet?

Anchor on the canonical references: NIST AI RMF (AI 100-1) plus the Generative AI Profile (AI 600-1, July 2024), the OWASP Top 10 for LLM Applications (2025 version), and MITRE ATLAS [16][11][17]. Even contributing one named LLM-red-team exercise, one model-evaluation harness, or one prompt-injection guardrail with documented testing reads as leading-edge in 2026. Pattern: "Drove the platform's first internal LLM red-team exercise against the customer-facing chat surface — surfaced 6 prompt-injection patterns mapped to OWASP LLM01 and 2 system-prompt-leakage patterns (LLM07), with documented mitigations and continuous-evaluation harness for regression testing." Senior screens at frontier-AI labs and AI-adjacent SaaS will recognize the signal.

---

References

[1] Greenhouse Software. "Sourcing and Filtering Best Practices — Greenhouse Help Center." https://support.greenhouse.io/hc/en-us/articles/360051506331-Sourcing-best-practices

[2] Lever. "Recruiter Search and Filtering Documentation." https://help.lever.co/

[3] Workday. "Workday Recruiting — Candidate Search Documentation." https://doc.workday.com/admin-guide/en-us/staffing/recruiting/candidate-experience.html

[4] Ashby HQ. "Recruiting Workflow and Candidate Scoring." https://www.ashbyhq.com/

[5] Jobscan. "ATS Resume Optimization for Cybersecurity and Security Engineering Roles." https://www.jobscan.co/

[6] U.S. Bureau of Labor Statistics. "Information Security Analysts (SOC 15-1212) — Occupational Outlook Handbook (May 2024)." https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm

[7] levels.fyi. "Security Engineer / Application Security Engineer / Detection Engineer Salary Data by Company and Level." https://www.levels.fyi/

[8] MITRE Corporation. "MITRE ATT&CK, CWE, and D3FEND — Adversary Tactics, Software Weaknesses, and Defensive Countermeasures." https://attack.mitre.org/

[9] OWASP Foundation. "OWASP Top 10 — 2021 Edition (with Threat Dragon, SAMM, and supporting projects)." https://owasp.org/Top10/

[10] OWASP Foundation. "OWASP Application Security Verification Standard (ASVS)." https://owasp.org/www-project-application-security-verification-standard/

[11] OWASP Foundation. "OWASP Top 10 for Large Language Model Applications (2025)." https://genai.owasp.org/llm-top-10/

[12] National Institute of Standards and Technology. "NIST SP 800-207 — Zero Trust Architecture." https://csrc.nist.gov/pubs/sp/800/207/final

[13] IETF OAuth Working Group. "The OAuth 2.1 Authorization Framework (Draft)." https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

[14] National Institute of Standards and Technology. "NIST SP 800-61 — Computer Security Incident Handling Guide." https://csrc.nist.gov/pubs/sp/800/61/r2/final

[15] Offensive Security. "OSCP / OSWE / OSEP — Penetration Testing Certifications." https://www.offsec.com/courses-and-certifications/

[16] National Institute of Standards and Technology. "AI Risk Management Framework (AI RMF 1.0) and Generative AI Profile (NIST AI 600-1)." https://www.nist.gov/itl/ai-risk-management-framework

[17] MITRE Corporation. "MITRE ATLAS — Adversarial Threat Landscape for Artificial-Intelligence Systems." https://atlas.mitre.org/

[18] Cybersecurity and Infrastructure Security Agency (CISA). "Known Exploited Vulnerabilities (KEV) Catalog and BOD 22-01." https://www.cisa.gov/known-exploited-vulnerabilities-catalog