Red Team Engineer

Acrisure•Atlanta, GA

1d•Onsite

About The Position

Acrisure is a global fintech leader that empowers businesses and individuals with customized solutions across insurance, reinsurance, payroll, benefits, cybersecurity, and mortgage services. With a history of significant revenue growth and a global presence, Acrisure is built on an entrepreneurial spirit, prioritizing leadership, accountability, and collaboration. This role is for a hands-on offensive security engineer focused on finding and proving exploitable vulnerabilities in web applications, APIs, and cloud-hosted services before adversaries can. The primary focus is on web application and API penetration testing within a large, multi-tenant SaaS portfolio, including platforms processing sensitive PII and financial data. The engineer will conduct manual and automated security assessments, build attack tooling, and collaborate with engineering teams to validate fixes. A key aspect of this role involves leveraging AI tools to enhance reconnaissance, vulnerability discovery, exploit development, and reporting, as well as assessing AI-integrated features for security risks like prompt injection and model manipulation. Acrisure is an AI-first security organization, expecting this role to actively utilize AI tooling for offensive security outcomes. Success is measured by identifying vulnerabilities missed by scanners, proving exploitability to drive action, and contributing to more secure code shipping.

Requirements

4+ years of hands-on experience in penetration testing, with a primary focus on web applications and APIs.
Deep understanding of web application vulnerabilities beyond OWASP Top 10 — including business logic flaws, authorization model weaknesses (IDOR/BOLA), race conditions, and authentication/session architecture attacks.
Experience testing multi-tenant SaaS applications and understanding tenant isolation patterns and failure modes.
Proficiency with web application testing tools: Burp Suite Professional, custom extensions, and manual testing methodologies.
Scripting and automation skills (Python, JavaScript, or similar) for exploit development, custom tooling, and test automation.
Working knowledge of cloud platforms (AWS and/or Azure) — enough to test cloud-hosted applications and understand IAM, networking, and service configurations.
Familiarity with source code review for security — ability to read and analyze application code (.NET/C#, Java, JavaScript/TypeScript, or Python) to identify vulnerabilities.
Experience producing professional penetration test reports with clear evidence, risk ratings, and remediation guidance.

Nice To Haves

Experience using AI/LLM tools for offensive security — automated recon, intelligent code review, payload generation, or AI-assisted exploit development.
Experience testing AI-integrated application features for prompt injection, model abuse, or agentic system vulnerabilities.
Familiarity with AI security frameworks: OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF.
Experience with .NET/C# application security — particularly ASP.NET Web API, Entity Framework, and common .NET authorization patterns.
Cloud penetration testing experience (AWS, Azure) — IAM exploitation, metadata service abuse, cross-account pivoting, serverless and container breakout.
Bug bounty experience (HackerOne, Bugcrowd) — as a researcher, triager, or program operator.
Experience building security validation into CI/CD pipelines for continuous testing.
Familiarity with MITRE ATT&CK (Enterprise + Cloud), PTES, or OWASP Testing Guide methodologies.
Relevant certifications: OSCP, OSWE, GWAPT, GPEN, eWPT, BSCP, or equivalent hands-on certifications. We value demonstrated skill over certification count.

Responsibilities

Conduct deep manual penetration tests against web applications, REST/GraphQL APIs, and microservices — focusing on authentication, authorization (IDOR/BOLA), session management, injection, and business logic flaws.
Perform source-code-assisted testing (grey-box/white-box) using access to application repositories to identify vulnerabilities that black-box testing misses.
Test multi-tenant isolation boundaries — proving or disproving cross-tenant data access, privilege escalation, and tenant-escape scenarios in SaaS platforms.
Assess authentication and session architectures: OAuth/OIDC flows, JWT handling, MFA bypass, token lifecycle, and session revocation effectiveness.
Validate authorization models end-to-end — from API gateway to data layer — identifying gaps where opt-in security filters can be bypassed or omitted.
Execute targeted assessments of high-risk application changes, new features, and integrations as part of the secure development lifecycle.
Use AI tools (LLMs, copilots, agentic frameworks) to accelerate vulnerability discovery, payload generation, reconnaissance, and report writing.
Build and maintain AI-assisted attack workflows — automated recon pipelines, intelligent fuzzing, pattern-based code review, and exploit chain analysis.
Assess AI-integrated application features for prompt injection, training data leakage, model manipulation, excessive agency, and insecure output handling (OWASP LLM Top 10).
Contribute to AI red-teaming exercises targeting LLM-powered features, chatbots, and agentic systems deployed across the enterprise.
Stay current on AI-driven offensive techniques and defensive evasion — and translate emerging research into practical testing methodologies.
Conduct penetration tests against cloud-hosted applications and services in AWS and Azure — including serverless functions, container workloads, and managed services.
Test cloud identity and access configurations — IAM policies, role assumptions, cross-account access, service principal permissions, and privilege escalation paths.
Assess API gateway configurations, WAF effectiveness, and network segmentation controls.
Identify attack paths from application-layer compromise to cloud infrastructure pivot — demonstrating real-world impact chains.
Build and maintain custom offensive tooling — scanners, exploit scripts, and validation frameworks tailored to the organization’s technology stack.
Develop repeatable, automated security validation tests that can be integrated into CI/CD pipelines for continuous assurance.
Produce clear, evidence-based penetration test reports with proof-of-concept exploits, risk ratings, and actionable remediation guidance.
Track and retest findings through remediation — validating fixes are effective and complete.
Contribute to the organization’s attack playbooks, TTPs documentation, and knowledge base.
Partner with AppSec engineers to translate offensive findings into defensive tooling improvements (SAST/DAST rules, ASPM policies).
Work with development teams during and after assessments — explaining vulnerabilities, demonstrating impact, and advising on secure design patterns.
Support bug bounty program triage and validation when external researchers report findings.
Participate in purple team exercises — working with detection engineering and SOC to validate monitoring coverage against real attack techniques.