AI Cybersecurity Engineer

Who We Are

At Upbound Group, we are committed to elevating financial opportunity for all through innovative, inclusive, and technology-driven financial solutions that address the evolving needs and aspirations of consumers. The Company’s customer-facing operating units include industry-leading brands such as Rent-A-Center, Acima and Brigit that facilitate consumer transactions across a wide range of store-based and digital retail channels, including over 2,400 company-branded retail units across the United States, Mexico, New York and Puerto Rico. Upbound Group, Inc. is headquartered in Plano, Texas.

Role Summary

We are seeking a forward-thinking AI Cybersecurity Engineer to join our Security team. This role sits at the convergence of Zero Trust architecture, Generative AI, agentic systems, and modern security engineering. The AI Cybersecurity Engineer will design, build, and operationalize next-generation AI-driven security capabilities - including autonomous security agents, Retrieval-Augmented Generation (RAG) pipelines, and Model Context Protocol (MCP) integrated toolchains - to protect our infrastructure, data, and users against an ever-evolving threat landscape. This role is critical to enabling safe, responsible AI adoption across our brands while maintaining the trust of the consumers we serve.

Key Responsibilities

• Apply Zero Trust principles to AI agents, ensuring agents operate under strict least-privilege policies with scoped, time-limited credentials.
• Secure GenAI deployments including LLM APIs, fine-tuned models, and foundation model integrations against threats such as prompt injection, jailbreaking, training data poisoning, and model inversion attacks.
• Build and maintain guardrails, content moderation layers, and output validation pipelines for GenAI systems and LLMs used in security and business workflows.
• Conduct adversarial red-teaming of GenAI systems, agent platforms, and LLMs to identify exploitable behaviors, unsafe outputs, and data exfiltration risks; develop remediation playbooks.
• Secure multi-agent systems (MAS) that autonomously perform security tasks such as threat hunting, incident triage, vulnerability scanning, and policy enforcement.
• Define agent trust boundaries, inter-agent communication security, and human-in-the-loop (HITL) checkpoints to prevent runaway or adversarially hijacked agent behavior.
• Implement agent observability frameworks - logging, tracing, and auditing all agent decisions, tool calls, and external API interactions for forensic and compliance purposes.
• Assess and mitigate agentic-specific attack surfaces including goal hijacking, tool misuse, privilege escalation via chained tool calls, and unintended data exfiltration.
• Evaluate, harden, and govern the use of Model Context Protocol (MCP) servers that expose enterprise tools and data to AI agents - treating each MCP server as a security boundary requiring authentication, authorization, and audit logging.
• Define and enforce MCP server access control policies, ensuring agents can only invoke permitted tools within approved scopes and that all MCP tool calls are logged and attributable.
• Assess MCP-specific risks including prompt-injected tool invocation, unauthorized resource access through MCP resource endpoints, and lateral movement via chained MCP server calls.
• Collaborate with platform and integration teams to establish secure MCP deployment standards, including mTLS for server communication, secrets management for server credentials, and rate limiting for tool invocations.
• Harden RAG pipelines against retrieval manipulation attacks, indirect prompt injection via poisoned knowledge base documents, and sensitive data leakage through retrieved context.
• Design RAG pipeline monitoring and anomaly detection to identify unusual retrieval patterns, high-entropy queries indicative of extraction attacks, and drift in retrieved context quality.
• Build and deploy ML models for real-time threat detection, behavioral anomaly detection, and user/entity behavior analytics (UEBA) across network, endpoint, and cloud telemetry.
• Develop LLM-powered SOAR integrations that automate alert triage, root cause analysis, runbook execution, and stakeholder communication using natural language generation.
• Create GenAI-assisted threat hunting workflows that allow analysts to query security data in natural language, with results grounded in live telemetry via RAG.
• Embed AI security controls (input validation, output filtering, adversarial testing) into CI/CD pipelines for AI systems alongside traditional DevSecOps practices.
• Contribute to AI Bill of Materials (AI-BOM) tracking - a comprehensive inventory of all deployed models, dependencies, training data sources, agents, MCP servers, and RAG pipelines - to support supply chain security and compliance audits.
• Produce threat models, security architecture reviews, and risk assessments for AI-enabled products; maintain living documentation as systems evolve.
• Integrate AI-driven tools into daily engineering work to enhance decision-making quality and accelerate innovation across deliverables.

Required Qualifications

• 5+ years of experience in cybersecurity engineering, with at least 2 years of hands-on experience in AI/ML security, GenAI systems, agentic platforms, and LLM application development.
• Deep understanding of Zero Trust architecture principles (NIST SP 800-207) and hands-on experience implementing controls in cloud-native or hybrid environments.
• Hands-on experience with cloud security in at least one major cloud platform (AWS, Azure, or GCP), including cloud-native IAM, Cloud Security Posture Management (CSPM), and cloud AI service security controls.
• Experience implementing Data Loss Prevention (DLP) controls within AI pipelines, including mechanisms to detect and block sensitive consumer data - such as PII, SSNs, and payment card information from being transmitted to external LLMs or stored in AI system logs; familiarity with data residency requirements and privacy-preserving techniques (e.g., tokenization, redaction) as applied to GenAI workflows.
• Demonstrated experience securing LLM-based applications, including prompt injection defenses, output validation, and responsible AI guardrails.
• Hands-on experience building or securing RAG pipelines, including vector database access control and retrieval-layer security.
• Familiarity with agentic AI frameworks (LangChain, LangGraph, AutoGen, CrewAI, or equivalent) and the security risks associated with autonomous multi-agent systems.
• Strong Python proficiency; experience with ML frameworks (PyTorch, TensorFlow, Hugging Face transformers) and security data pipelines.
• Experience with SIEM/SOAR platforms (Rapid7, Microsoft Sentinel) and integrating AI capabilities into security operations workflows.
• Working knowledge of identity and access management (IAM), OAuth 2.0 / OIDC, and secrets management (HashiCorp Vault, AWS Secrets Manager, Secret Server) in the context of AI system authentication.
• Familiarity with MITRE ATT&CK, MITRE ATLAS (adversarial threats to AI/ML systems), and OWASP LLM Top 10.
• Excellent communication skills; able to translate complex AI security risks for executive, legal, and non-technical audiences.
• Experience developing and executing incident response procedures specific to AI systems, including response plans for model compromise, agent misbehavior events, and data exfiltration through LLM outputs.
• Demonstrated ability to author enforceable security policies and standards, including acceptable use frameworks, data classification guidelines, and AI security control baselines applicable across engineering and business teams.

Preferred Qualifications

• Hands-on experience with Model Context Protocol (MCP) security controls in enterprise environments.
• Direct experience deploying or securing Claude Enterprise or a comparable enterprise AI assistant platform, including API security hardening, usage policy governance, role-based access controls, and audit logging configuration.
• Experience conducting structured AI red-teaming exercises against LLMs, RAG systems, or autonomous agents, including goal hijacking and tool misuse scenarios.
• Knowledge of adversarial ML (evasion, poisoning, model extraction) and model interpretability techniques (SHAP, LIME, attention visualization).
• Experience with AI governance, AI auditing, and compliance frameworks including NIST AI RMF, ISO 42001, or SOC 2 Type II for AI systems.
• Relevant certifications: CISSP, CISM, CEH, AWS/Azure/GCP Security Specialty, or emerging AI security credentials.

Work Location

Ability to work in the Plano, Texas office, Monday through Friday.

Equal Opportunity Employer

Upbound Group is an equal opportunity employer committed to ensuring all employment decisions are made on a non-discriminatory basis in accordance with applicable federal, state, and local laws.

This job description is not intended to be all-inclusive. Coworker may perform other related duties as negotiated to meet the ongoing needs of the organization.