Offensive Security Engineer

About The Position

Requirements

• Bachelor’s degree in Cybersecurity or related field required.
• 3+ years of hands-on web application penetration testing experience in a professional or consulting capacity.
• Passion and demonstrated experience for challenging security assumptions.
• Deep familiarity with MITRE ATT&CK, OWASP Top 10, OWASP API Security Top 10, and OWASP Top 10 for LLMs.
• Proficiency with standard tooling: Burp Suite, OWASP ZAP, Nmap, Metasploit, SQLmap, Nikto.
• Demonstrated ability to exploit and document authentication/authorization flaws, injection vulnerabilities, XXE, SSRF, deserialization issues, and insecure direct object references.
• Strong written communications: findings reports must be usable by both developers and executives.
• Experience testing RESTful and/or GraphQL APIs.
• Experience with AWS environment security assessment (IAM misconfiguration, S3 exposure, Lambda attack surface).
• Scripting proficiency in Python, Bash, or JavaScript for custom tooling and automation.
• Familiarity with automotive, logistics, or fintech regulatory requirements (PCI DSS, SOC 2 Type II).
• Prior experience in a startup or high-growth SaaS environment where speed and security have to coexist.
• OSCP, GWAPT, eWPT, or equivalent.
• CEH is accepted but is less weighted than practical certs.

Responsibilities

• Experience with leveraging components of a modern software development stack to attack companies, including CI, container orchestration systems (Kubernetes/Docker), cloud providers (AWS), and be able to give hardening suggestions.
• Conduct offensive security engagements, including Red Team operations, threat-based evaluations, and vulnerability research and exploitation against both internal and external-facing systems.
• Plan and execute black-box, grey-box, and white-box web application penetration tests against RunBuggy production and staging environments.
• Maintain tooling (Burp, Metasploit, C2 frameworks, custom scripts) for exploitation, detection validation, and security assessments.
• Conduct API security testing (REST, GraphQL) including authentication bypass, injection, broken object-level authorization (BOLA/IDOR), and business logic flaws.
• Perform cloud configuration reviews (AWS) and assess infrastructure-level exposure where it intersects with web application attack surfaces.
• Produce clear, risk-ranked findings reports with reproducible proof-of-concept and actionable remediation guidance for both technical and non-technical audiences.
• Collaborate with engineering to validate fixes and re-test remediated vulnerabilities.
• Perform social engineering exercises (phishing, credential harvesting), where applicable.
• Contribute to bug bounty triage, third-party assessment coordination, and security tooling selection.
• Support compliance efforts (SOC 2, PCI DSS) by providing evidence and attestation tied to pen test scope and outcomes.
• Stay current on emerging attack techniques and translate threat intelligence into test cases relevant to RunBuggy’s stack.
• Other duties as assigned.

Benefits

• Highly competitive medical, dental, vision, Life w/ AD&D, Short-Term Disability insurance, Long-Term Disability insurance, pet insurance, identity theft protection, and a 401(k) retirement savings plan.
• Employee wellness program.
• Employee rewards, discounts, and recognition programs.
• Generous company-paid holidays (12 per year), vacation, and sick time.
• Paid paternity/maternity leave.
• Monthly connectivity/home office stipend if working from home 5 days a week.