Senior Security Engineer (Pen Tester)

Menlo Security

31d

About The Position

Menlo Security's mission is enabling the world to connect, communicate and collaborate securely without compromise. COVID-19 has made our mission all the more real. We support customers across various enterprises including Fortune 500 companies, 9/10 of the largest global banks and the Department of Defense. The world has fundamentally changed. We are growing from 400 employees into the next phase of our journey, and we need passionate talent filled with empathy and agility. The right candidate for the job is ethical, hyper-organized, fanatical about seeing things through to completion, service-oriented, and humble enough to take feedback and coaching yet confident enough to provide feedback and coaching. Menlo is well-funded for growth and our investors are second to none. They include Vista Equity Partners (“Vista”), General Catalyst, JPMC, American Express, HSBC, and Ericsson Ventures. Role Overview We are seeking a forward-thinking Security Engineer to join our team, focusing on offensive and defensive security, the penetration testing of product features, and the cloud architecture supporting the product. In this role, you will operate across a complex, multi-cloud environment (AWS & GCP) comprising both traditional VMs and modern managed and unmanaged container-based architectures. In this focused role, you will partner with other security (Penetration Tester and Cloud Security) engineers to execute targeted assessments during specific windows of the product testing phase immediately prior to release. Success requires you to stay synchronized with the product roadmap and develop a deep technical mastery of new features, enabling you to independently configure environments and test thoroughly within tight timelines. Your responsibilities extend beyond the application layer to the Control Plane, where you will conduct rigorous infrastructure reviews to ensure that cloud configurations, IAM policies, and orchestration layers meet our security baselines. Your operational cadence is built on speed: you must identify, validate, and report vulnerabilities quickly to maintain release velocity. Additionally, you will serve as the frontline for external defenses, monitoring bug bounty pipelines and external reports to triage and respond to findings with professional precision.

Requirements

Multi-Cloud Fluency: Demonstrate a deep architectural understanding of GCP and AWS . You should be capable of pivoting seamlessly between providers, performing manual configuration reviews of complex IAM/Resource hierarchies, and leveraging native APIs or modern CSPM frameworks to validate security controls.
Container Security: Proven experience auditing and hardening managed container services (GKE Autopilot/Standard, EKS, ECS) and self-hosted/unmanaged workloads (K8s, k3s, OCI-runc). Experience with Gatekeeper policies, and Binary Authorization would be considered an asset.
AI Tooling: Demonstrated ability to integrate AI/LLM tools (e.g., Gemini, Claude) into the pentesting lifecycle to increase speed and coverage.
Web Application Security: Expert-level knowledge of web application security principles and offensive testing methodologies, with deep proficiency in OWASP Top 10 vulnerabilities, modern web framework exploitation, and API security (REST, WebSockets). Extensive hands-on experience conducting manual security assessments using Burp Suite Professional, OWASP ZAP, or similar tooling. Strong understanding of browser security mechanisms (CSP, CORS, SameSite cookies, Subresource Integrity), secure authentication/authorization patterns (OAuth 2.0, OIDC, JWT), and security header configurations (HSTS, X-Frame-Options, Permissions-Policy). Proven ability to identify complex security flaws beyond automated scanner detection, validate findings through proof-of-concept development, and provide actionable remediation guidance to engineering teams.
Security Automation: Proficiency in Python, Go, or Bash to eliminate "toil." You are expected to write custom scripts and tooling to automate vulnerability discovery, validate security controls, and streamline your own testing workflows.
Infrastructure as Code: Solid grasp of Terraform and cloud-native deployment patterns. You can interpret and audit complex HCL files to identify misconfigurations before they are provisioned.
Communication: Ability to write high-quality technical reports that Product Teams can easily understand and act upon.

Responsibilities

Collaborative Penetration Testing (AWS & GCP): Work in tandem with a peer pentester to conduct deep-dive penetration tests of our products across our multi-cloud environment.
Control Plane: Review IAM policies, service configurations, and cloud-native permission structures.
Data Plane & Web UI: Execute dynamic testing against web interfaces and API endpoints.
Infrastructure Review: Assess the security posture of a hybrid infrastructure that mixes containers and Virtual Machines (VMs) infrastructures.
Vulnerability Reporting & Advisory: Triaging findings and creating clear, reproducible proofs-of-concept (PoCs). Collaborating with Product Teams to explain the risk. You may not be responsible for writing the fix or remediating the issue; your role is to ensure the product team understands what to fix.
AI-Augmented Security Assessments: Actively utilize AI and Large Language Models (LLMs) to automate reconnaissance, generate attack vectors, analyze configurations, and draft vulnerability reports. Fluency in prompt engineering for security contexts is essential.
Pipeline Management: Monitor bug bounty pipelines and external reports, validating findings and managing researcher communication

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume