Qualtrics
Offensive Security Engineer II
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Qualtrics
Qualtrics is an experience management company based in the United States, founded in 2002. With co-headquarters in Seattle, Washington, and Provo, Utah, it specializes in a cloud-based subscription software platform that helps organizations collect, analyze, and act on experience data (X-data) from customers, employees, products, and brands. This platform is designed to improve decision-making and operational efficiency. Initially a survey research tool for academia, Qualtrics shifted its focus to enterprise customers in 2012 and has since become a leader in the Experience Management (XM) category. The company employs over 5,000 people and serves 18,750 customers across more than 100 countries, including 91 of the Fortune 100 companies. Its key offerings include the XM Platform, which manages experience data, and XM Discover, which enhances experience insights. Qualtrics has also expanded its capabilities through strategic acquisitions, positioning itself as a significant player in the enterprise software market.
Security at Qualtrics
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
- Qualtrics' core philosophy emphasizes the protection and reliability of customer data, stating it as their 'most important concern'.
- Their Information Security Management System (ISMS) defines the overall security function, and they view 'Security isn't a feature.
- It's the foundation.' The company demonstrates a compliance-oriented risk philosophy, evidenced by achieving 'FedRAMP Authorization' and 'ISO 42001' certification, which 'validates responsible AI governance.' However, no public, verbatim statements were found describing a 'developer-first' or 'paved road' approach, nor explicit 'risk-based approach' or 'threat modeling' for AppSec processes.
Security Team
- Assaf Keren serves as the Chief Security Officer (CISO) at Qualtrics, having joined the company.
- No public, verbatim statements were found specifying the AppSec team's reporting line (e.g., to CISO) or whether it is centralized or embedded.
- No reliable public headcount or LinkedIn-derived AppSec team size quote was located, and no discrete 'Application Security' job postings with verbatim content were captured during the research.
- Consequently, common skill/tool patterns from job postings could not be identified.
Key Initiatives
- No public verbatim evidence was found describing a Security Champions program or specific 'Shift Left' practices such as pre-commit, IDE, or CI/CD security actions.
- For vulnerability management, Qualtrics has a 'Vulnerability Disclosure Program for how to report' findings, and 'Application penetration tests are performed annually by an independent third-party.' However, no public statements specify triage SLAs, MTTR, ticketing processes, or ownership.
- Regarding Secure SDLC Artifacts, the 'Information Security Management System (ISMS) defines the overall security function at Qualtrics,' and certifications like 'ISO 27001' / SOC 2 / HITRUST are present.
- Still, no verbatim quotes describe 'security reviews for all major features,' 'threat modeling high-risk services,' or explicit SDLC gates.
- Recent initiatives (last 6 months relative to) include 'Qualtrics Receives the Highest Level of Federal Security Compliance with FedRAMP® High Authorization' (July 22, 2025) and 'ISO 42001 validates responsible AI governance' (October 15, 2025).
- No AppSec-specific program rollouts were located.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.