The specific signals an experienced security engineer hiring panel grades on during the eight-second scan.

• Summary names the security domain (AppSec, DetEng, IR)

  'AppSec engineer owns the SAST + threat-modeling program' beats 'security engineer.' The domain is the role-fit signal.

• Specific framework named (OWASP, MITRE ATT&CK)

  OWASP ASVS, MITRE ATT&CK matrix references, NIST CSF mapping. Framework fluency is the senior signal.

• CVE / finding / detection counts

  Vulnerabilities found, P0/P1/P2 breakdown, detections shipped, true-positive rate. Security work is graded in counts and outcomes.

• One specific tool stack

  Burp Suite Pro, Semgrep, Snyk, Splunk, Datadog Security, KQL. Generic 'security tools' parses as junior.

• Bug-bounty or CVE credit (if any)

  Public CVE credit, HackerOne reputation, advisory disclosure. The highest-signal AppSec credential.

• One certification (if applicable)

  OSCP, GIAC GPEN/GWAPT, CISSP for senior. Security is one of the few fields where certifications meaningfully parse.

1. 1

   Open with the security domain and the program scope

   A senior security summary names the domain and scope: 'AppSec engineer at a Series C fintech; owns the SAST + threat-modeling program for 280 engineers.' DetEng: 'DetEng on the security team; owns 38 detections across the Microsoft 365 + AWS attack surface; 92% TP rate over Q3.' IR: 'IR lead at a fintech; ran 8 incidents through 2024 (2 IR-1, 6 IR-2); mean containment 38m.'

   Lead with the domain. Security is sub-specialized; pretending otherwise reads as junior.

2. 2

   Quantify with severity and outcome window

   Finding counts with severity breakdown, detection counts with TP rate, IR counts with mean containment, CVE credits with CVSS, audit findings closed. Security work is graded on counts AND outcome windows — 'zero P0 incidents for 9 months' is the kind of bullet that pulls forward.

3. 3

   Reference at least one framework

   OWASP ASVS, MITRE ATT&CK, NIST CSF, CIS Controls. Mapping work to a framework signals depth. 'Authored detections mapped to MITRE ATT&CK T1059, T1078' parses much better than 'wrote SOC detections.'

4. 4

   Name the tool stack precisely

   Burp Pro, Semgrep, Snyk, Wiz, Splunk ES, KQL, Sigma. Specific products parse as separate tokens. Security JDs explicitly screen for the tools the company uses.

5. 5

   Close with CVE / disclosure / community

   Public CVE credit is the gold-standard security credential. Bug-bounty reputation (HackerOne / Bugcrowd profile, confirmed reports), DEFCON / BlackHat talks, published research, open-source security tools — all are high-signal closing items.

Each follows the [verb] [object] [number] structure hiring managers grade against. Copy them as a starting point, swap in your own numbers, and read the annotation to understand why each one works.

• AppSec

  Shipped 38 SAST findings to remediation through 2024 (4 P0, 12 P1, 22 P2); zero P0/P1 in production for 9 consecutive months post-program-launch.

  Why it works: Count, severity breakdown, and sustained zero-P0 window. Vuln work graded on outcome, not just findings.

• Detection engineering

  Authored 22 KQL detections mapped to MITRE ATT&CK T1059, T1078, T1133, T1212; 92% true-positive rate across Q3 2024 over Microsoft 365 + AWS CloudTrail.

  Why it works: Detection count, MITRE mapping, TP rate with timeframe, attack-surface scope.

• Incident response

  Led IR on 8 incidents through 2024 (2 IR-1, 6 IR-2); mean containment time fell from 4h to 38m after the playbook rewrite I authored.

  Why it works: IR count, severity, mean containment improvement, playbook outcome.

• CVE / disclosure

  Discovered and disclosed CVE-2024-XXXXX in a widely-used open-source library; CVSS 8.2 (High). Coordinated disclosure with maintainer over 8 weeks; patch released in 4 minor versions.

  Why it works: Named CVE, severity, coordinated-disclosure detail, and patch outcome. CVE credit is the gold-standard security credential.

• Standards

  Achieved OWASP ASVS L2 conformance org-wide across 38 services; remediation pass closed 14 P0/P1 ASVS gaps in 6 weeks.

  Why it works: Names ASVS level, service scope, remediation count with severity, and the timeframe.

• Threat modeling

  Built the org's threat-modeling program (STRIDE-based, applied to every new service); 24 threat models completed through 2024; surfaced 38 design-time risks (8 P0 candidates) before code review.

  Why it works: Names the framework (STRIDE), the cadence, the threat-model count, and the risk-surfacing outcome with severity calibration.

• Tooling

  Migrated the SAST pipeline from Checkmarx to Semgrep + GitHub Code Scanning; SAST pipeline runtime fell from 45 min to 4 min; false-positive rate dropped from 38% to 11%.

  Why it works: Named tools (Checkmarx → Semgrep + Code Scanning), runtime delta, FP-rate delta. Tooling migrations with measurable outcomes are senior signal.

• Mentorship

  Mentored 2 junior security engineers from generalist SWE into AppSec focus; both shipped sole-owner program work (one SAST, one threat-modeling) within 6 months.

  Why it works: Names the transition, the timeframe, and the deliverable per mentee.

• Automation

  Reduced security-team ticket queue from 480 open to 38 via automation (auto-remediation for low-severity findings + a self-service threat-model intake form).

  Why it works: Names the queue depth before/after and the two automation interventions. Security automation with a queue-depth outcome is a senior signal.

• Bug bounty

  HackerOne reputation 1,240 (top 12% globally); 38 confirmed reports across 2024, including 4 P0 chained-vulnerabilities at recognized B2B SaaS programs.

  Why it works: Public reputation number, top-percentile context, report count, severity. Bug-bounty work is a high-signal AppSec credential.

• Speaking

  DEFCON 32 (2024) speaker — 'Building threat-modeling programs that scale to 280 engineers' (45-min track talk). 4,200 views on the recorded talk.

  Why it works: Named conference, talk title, length, and view count. DEFCON speaking is a senior security credential.

• Compliance

  Owned the SOC2 Type II audit prep over 8 weeks; shipped 14 control remediations; external auditor signed off with zero findings.

  Why it works: Named framework, duration, remediation count, audit outcome. Cross-functional compliance work belongs on the security resume too.

Same intent, two phrasings. Read why the right column lands on the keep-pile and the wrong column doesn't.

Patterns our writers see most often when reviewing security engineer resumes — each one disqualifies candidates faster than weak experience does.

• Mistake

  Generic 'security engineer' opening without a domain.

  Fix

  Name the domain — AppSec, DetEng, IR, GRC, Red Team. Domain is the senior signal.

• Mistake

  Claiming all security domains.

  Fix

  Senior security panels prefer depth in one domain over breadth across five.

• Mistake

  Vuln counts without severity.

  Fix

  Break out by P0/P1/P2/P3. Severity context matters more than absolute count.

• Mistake

  Generic 'security tools' without naming them.

  Fix

  Name Burp Pro, Semgrep, Snyk, Splunk, KQL by exact product. Security JDs screen for tool tokens.

• Mistake

  Not naming any framework.

  Fix

  OWASP ASVS / MITRE ATT&CK / NIST CSF reference reads as senior. Framework fluency is the load-bearing signal.

• Mistake

  Two-page resume with fewer than 8 years experience.

  Fix

  One page. Security hiring panels move fast.

• Mistake

  Listing every certification without dates.

  Fix

  Security certs need years. List 2-4 current certs with year; cut older / lapsed ones.

• Mistake

  Hidden white-text keyword stuffing.

  Fix

  Don't. Security companies disqualify aggressively for integrity issues.

Strong verbs lead strong bullets. Replace generic openers (worked on, helped with, was responsible for) with the specific verb that matches what you actually did.

ATS pipelines weight your Skills section as a structured list. Include 15-25 of the items below if they match your experience — not soft skills.