Red Team Engineer

Acrisure•Grand Rapids, MI

7h•Onsite

About The Position

About Acrisure A global fintech leader, Acrisure empowers millions of ambitious businesses and individuals with the right solutions to grow boldly forward. Bringing cutting-edge technology and top-tier human support together, we connect clients with customized solutions across a range of insurance, reinsurance, payroll, benefits, cybersecurity, mortgage services – and more. In the last twelve years, Acrisure has grown in revenue from $38 million to almost $5 billion and employs over 19,000 colleagues in more than 20 countries. Acrisure was built on entrepreneurial spirit. Prioritizing leadership, accountability, and collaboration, we equip our teams to work at the highest levels possible. Job Summary: You will be a hands-on offensive security engineer who finds and proves exploitable vulnerabilities in web applications, APIs, and cloud-hosted services before adversaries do. Your primary focus is web application and API penetration testing across a large, multi-tenant SaaS portfolio; including payroll, benefits, and financial platforms that process sensitive PII and financial data at scale. You’ll conduct manual and automated security assessments, build repeatable attack tooling, and work directly with engineering teams to validate fixes. You will also leverage AI tools to accelerate reconnaissance, vulnerability discovery, exploit development, and reporting; and assess AI-integrated features within our applications for prompt injection, model manipulation, and agentic abuse risks. We are an AI-first security organization. We build with AI, secure AI, and expect this role to actively leverage AI tooling to accelerate offensive security outcomes. Success in this role means finding the vulnerabilities that scanners miss, proving exploitability with evidence that drives action, and helping engineering teams ship more secure code.

Requirements

4+ years of hands-on experience in penetration testing, with a primary focus on web applications and APIs.
Deep understanding of web application vulnerabilities beyond OWASP Top 10 — including business logic flaws, authorization model weaknesses (IDOR/BOLA), race conditions, and authentication/session architecture attacks.
Experience testing multi-tenant SaaS applications and understanding tenant isolation patterns and failure modes.
Proficiency with web application testing tools: Burp Suite Professional, custom extensions, and manual testing methodologies.
Scripting and automation skills (Python, JavaScript, or similar) for exploit development, custom tooling, and test automation.
Working knowledge of cloud platforms (AWS and/or Azure) — enough to test cloud-hosted applications and understand IAM, networking, and service configurations.
Familiarity with source code review for security — ability to read and analyze application code (.NET/C#, Java, JavaScript/TypeScript, or Python) to identify vulnerabilities.
Experience producing professional penetration test reports with clear evidence, risk ratings, and remediation guidance.

Nice To Haves

Experience using AI/LLM tools for offensive security — automated recon, intelligent code review, payload generation, or AI-assisted exploit development.
Experience testing AI-integrated application features for prompt injection, model abuse, or agentic system vulnerabilities.
Familiarity with AI security frameworks: OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF.
Experience with .NET/C# application security — particularly ASP.NET Web API, Entity Framework, and common .NET authorization patterns.
Cloud penetration testing experience (AWS, Azure) — IAM exploitation, metadata service abuse, cross-account pivoting, serverless and container breakout.
Bug bounty experience (HackerOne, Bugcrowd) — as a researcher, triager, or program operator.
Experience building security validation into CI/CD pipelines for continuous testing.
Familiarity with MITRE ATT&CK (Enterprise + Cloud), PTES, or OWASP Testing Guide methodologies.
Relevant certifications: OSCP, OSWE, GWAPT, GPEN, eWPT, BSCP, or equivalent hands-on certifications. We value demonstrated skill over certification count.

Responsibilities

Conduct deep manual penetration tests against web applications, REST/GraphQL APIs, and microservices — focusing on authentication, authorization (IDOR/BOLA), session management, injection, and business logic flaws.
Perform source-code-assisted testing (grey-box/white-box) using access to application repositories to identify vulnerabilities that black-box testing misses.
Test multi-tenant isolation boundaries — proving or disproving cross-tenant data access, privilege escalation, and tenant-escape scenarios in SaaS platforms.
Assess authentication and session architectures: OAuth/OIDC flows, JWT handling, MFA bypass, token lifecycle, and session revocation effectiveness.
Validate authorization models end-to-end — from API gateway to data layer — identifying gaps where opt-in security filters can be bypassed or omitted.
Execute targeted assessments of high-risk application changes, new features, and integrations as part of the secure development lifecycle.
Use AI tools (LLMs, copilots, agentic frameworks) to accelerate vulnerability discovery, payload generation, reconnaissance, and report writing.
Build and maintain AI-assisted attack workflows — automated recon pipelines, intelligent fuzzing, pattern-based code review, and exploit chain analysis.
Assess AI-integrated application features for prompt injection, training data leakage, model manipulation, excessive agency, and insecure output handling (OWASP LLM Top 10).
Contribute to AI red-teaming exercises targeting LLM-powered features, chatbots, and agentic systems deployed across the enterprise.
Stay current on AI-driven offensive techniques and defensive evasion — and translate emerging research into practical testing methodologies.
Conduct penetration tests against cloud-hosted applications and services in AWS and Azure — including serverless functions, container workloads, and managed services.
Test cloud identity and access configurations — IAM policies, role assumptions, cross-account access, service principal permissions, and privilege escalation paths.
Assess API gateway configurations, WAF effectiveness, and network segmentation controls.
Identify attack paths from application-layer compromise to cloud infrastructure pivot — demonstrating real-world impact chains.
Build and maintain custom offensive tooling — scanners, exploit scripts, and validation frameworks tailored to the organization’s technology stack.
Develop repeatable, automated security validation tests that can be integrated into CI/CD pipelines for continuous assurance.
Produce clear, evidence-based penetration test reports with proof-of-concept exploits, risk ratings, and actionable remediation guidance.
Track and retest findings through remediation — validating fixes are effective and complete.
Contribute to the organization’s attack playbooks, TTPs documentation, and knowledge base.
Partner with AppSec engineers to translate offensive findings into defensive tooling improvements (SAST/DAST rules, ASPM policies).
Work with development teams during and after assessments — explaining vulnerabilities, demonstrating impact, and advising on secure design patterns.
Support bug bounty program triage and validation when external researchers report findings.
Participate in purple team exercises — working with detection engineering and SOC to validate monitoring coverage against real attack techniques.