Cybersecurity Researcher Reverse Engineer

About The Position

Requirements

• Must be able to obtain and maintain a DOE security clearance at the DOE (Q) and SCI access or DoD (TS) and SCI level. SCI access may require a polygraph examination.
• Eligibility requirements: To obtain a clearance, an individual must be at least 18 years of age; U.S. Citizenship is required except in very limited circumstances. See DOE O 472.2A for additional information.
• Must meet educational requirements prior to employment start date.

Nice To Haves

• Researcher IV: Relevant PhD and 4 or more years of experience . Or, relevant Master's Degree and 7 or more years of experience . Or, relevant Bachelor's Degree and 9 or more years of experience . Demonstrated in-depth knowledge of laws, regulations, principles, procedures and practices related to specific field. Excellent leadership, communication, problem solving and project management skills. Ability to use various computer software programs.
• Researcher III: Relevant PhD . Or, relevant Master's Degree and 3 or more years of experience . Or, relevant Bachelor's Degree and 5 or more years of experience . Demonstrates broad understanding and wide application of engineering technical procedures, principles, theories and concepts in the field. General knowledge of other related disciplines. Demonstrates leadership in one or more areas of team, task or project lead responsibilities. Demonstrated experience in management of projects. Very good writing, interpersonal and communication skills.

Responsibilities

• Design and deploy advanced discovery techniques against black-box embedded systems.
• Implement custom fuzzing harnesses for hardware-in-the-loop and emulated environments.
• Develop robust, weaponized proof-of-concept (PoC) exploits for constrained environments.
• Bypass embedded exploit mitigations.
• Write custom shellcode and achieve persistent execution within RTOS or bare-metal environments.
• Intercept, reverse engineer, and exploit communications across all layers.
• Analyze local hardware buses (CAN, I2C, SPI), industrial control protocols (Modbus, DNP3, IEC 61850 GOOSE/SV, CIP/EtherNet/IP), and modern Smart Grid/EV protocols (OCPP, IEEE 2030.5, MQTT).
• Perform static and dynamic analysis of compiled binaries, RTOS (e.g., VxWorks, QNX, FreeRTOS), and bare-metal systems.
• Reverse engineer boot sequences, evaluate kernel-level internals, and identify privilege escalation vectors from user-space tasks to the kernel or hypervisor.
• Defeat hardware security mechanisms and extract firmware using debug interfaces (JTAG, UART, SWD).
• Execute advanced hardware attacks, including side-channel analysis and fault injection (glitching), to extract cryptographic keys or bypass authentication.
• Translate highly technical vulnerability findings and exploitation mechanics into actionable intelligence.
• Brief technical peers, leadership, and federal stakeholders on systemic risks to critical infrastructure and propose hardware/software mitigations
• Researcher IV: Solves uniquely significant problems: Defeats advanced hardware security mechanisms (Secure Boot, TrustZone) utilizing novel techniques like side-channel analysis and fault injection.
• Serves as a technical authority: Briefs federal stakeholders and influences directorate-level strategy regarding systemic risks to critical infrastructure.
• Translates national needs: Directly addresses national security priorities by developing advanced mitigations against Advanced Persistent Threats (APTs) targeting the energy grid.
• Drives lab-wide capability: Architects and maintains custom reverse engineering plugins and automation frameworks utilized by multiple teams across the laboratory.
• Mentors at the lab level: Serves as a recognized expert, mentoring staff across the organization in highly specialized areas like kernel-level privilege escalation and deep firmware analysis.
• Researcher III: Solves complex problems: Develops robust proof-of-concept exploits and performs deep static/dynamic analysis on constrained embedded environments.
• Leads project-level decisions: Designs and deploys advanced vulnerability discovery techniques, including custom fuzzing harnesses and symbolic execution.
• Applies broad engineering concepts: Adapts established principles to bypass exploit mitigations (e.g., ASLR, DEP/NX) on ARM, MIPS, and PowerPC architectures.
• Coordinates project efforts: Guides the technical execution of intercepting and analyzing complex hardware buses (CAN, SPI) and industrial protocols (Modbus, DNP3).
• Represents the laboratory: Translates highly technical vulnerability findings into actionable intelligence for internal peers and project leadership.

Benefits

• medical, dental, and vision insurance
• short- and long-term disability insurance
• pension benefits
• 403(b) Employee Savings Plan with employer match
• life and accidental death and dismemberment (AD&D) insurance
• personal time off (PTO) and sick leave
• paid holidays
• tuition reimbursement
• performance-, merit-, and achievement- based awards that include a monetary component
• relocation expense reimbursement