Original listing text, shown exactly as published by the company.
Competencies/Requirements
- Extensive hands-on experience conducting full-scope web application penetration tests.
- Deep, practical knowledge of common and not-so-common web vulnerability classes — SQL injection, XSS (reflected, stored, and DOM-based), SSRF, SSTI/CSTI, IDOR/BOLA, authentication and authorization bypass, path traversal, LFI, and similar — including how to chain them to demonstrate impact.
- A talent for finding and exploiting business-logic and edge-case flaws that automated scanners routinely miss.
- Strong command of proxy tools like Burp Suite and browser developer tools.
- Comfort scripting to reproduce findings and build proof-of-concept exploits (e.g., Python or similar) — you don't need to be a professional software engineer, but you should be able to write and read code well enough to demonstrate an exploit and collaborate effectively with engineers.
- Ability to clearly communicate attack steps, impact, and remediation guidance to both engineers and non-technical stakeholders.
- Curiosity about emerging AI technologies and comfort using AI-assisted tools in your testing and research workflow.
- Strong written and verbal communication, including technical documentation.
- Ability to manage multiple priorities, work independently, and mentor teammates of varying experience levels.
- Quick to learn and adopt new technologies, frameworks, and target stacks as needed.
- History of recognized security research, including documented CVE discoveries and responsible disclosure.
- Track record of successful bug bounty contributions.
Desired/Nice to Have
- Familiarity with how autonomous, agentic, or AI-driven pentesting tools work — and a sharp instinct for where and why they fail.
- Experience writing detection or attack content (e.g., Nuclei templates, sqlmap tamper scripts, custom Burp extensions).
- Enough software development background to collaborate fluently with engineers on remediation and product coverage.
- Familiarity with relational and graph databases, particularly Postgres and Neo4j.
- Experience with AI/LLM tools for building agentic workflows (e.g., LangChain, LangFlow) and integrating contextual data using protocols like Model Context Protocol (MCP).
Expectations
- Outstanding problem-solving aptitude and a relentless curiosity for how things break.
- Self-motivated and highly energetic, with the ability to operate effectively with limited supervision and guidance.
- Work with our engineers and security researchers to turn manual discoveries into reliable, production-safe product capabilities.
- Strong technical documentation and communication skills.
- Document findings, methodologies, and recommendations for both technical and non-technical stakeholders.
What makes you stand out
- A portfolio of novel web application research, exploits, or edge-case findings you can walk us through.
- Demonstrated examples of using AI to enhance or accelerate your testing and exploit development.
- OSCP, OSWE, or comparable offensive security certifications.
Other Duties
Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee. Duties, responsibilities, and activities may change at any time with or without notice.
