WebApp Offensive Security Engineer

About The Position

Requirements

• Extensive hands-on experience conducting full-scope web application penetration tests.
• Deep, practical knowledge of common and not-so-common web vulnerability classes — SQL injection, XSS (reflected, stored, and DOM-based), SSRF, SSTI/CSTI, IDOR/BOLA, authentication and authorization bypass, path traversal, LFI, and similar — including how to chain them to demonstrate impact.
• A talent for finding and exploiting business-logic and edge-case flaws that automated scanners routinely miss.
• Strong command of proxy tools like Burp Suite and browser developer tools.
• Comfort scripting to reproduce findings and build proof-of-concept exploits (e.g., Python or similar) — you don't need to be a professional software engineer, but you should be able to write and read code well enough to demonstrate an exploit and collaborate effectively with engineers.
• Ability to clearly communicate attack steps, impact, and remediation guidance to both engineers and non-technical stakeholders.
• Curiosity about emerging AI technologies and comfort using AI-assisted tools in your testing and research workflow.
• Strong written and verbal communication, including technical documentation.
• Ability to manage multiple priorities, work independently, and mentor teammates of varying experience levels.
• Quick to learn and adopt new technologies, frameworks, and target stacks as needed.
• History of recognized security research, including documented CVE discoveries and responsible disclosure.
• Track record of successful bug bounty contributions.

Nice To Haves

• Familiarity with how autonomous, agentic, or AI-driven pentesting tools work — and a sharp instinct for where and why they fail.
• Experience writing detection or attack content (e.g., Nuclei templates, sqlmap tamper scripts, custom Burp extensions).
• Enough software development background to collaborate fluently with engineers on remediation and product coverage.
• Familiarity with relational and graph databases, particularly Postgres and Neo4j.
• Experience with AI/LLM tools for building agentic workflows (e.g., LangChain, LangFlow) and integrating contextual data using protocols like Model Context Protocol (MCP).
• A portfolio of novel web application research, exploits, or edge-case findings you can walk us through.
• Demonstrated examples of using AI to enhance or accelerate your testing and exploit development.
• OSCP, OSWE, or comparable offensive security certifications.

Responsibilities

• Perform hands-on, full-scope web application penetration tests against real customer applications, alongside benchmark and lab targets, to surface vulnerabilities and attack paths.
• Review NodeZero results on live customer engagements to identify coverage gaps, blind spots, and missed opportunities — the edge cases and corner-case attack scenarios that autonomous testing doesn't yet handle.
• Manually reproduce and validate those edge cases, building reliable, production-safe proof-of-concept exploits and clear test cases that demonstrate the gap end to end — including against live customer environments without disrupting them.
• Partner closely with software engineers to translate your findings into product improvements — defining detection logic, attack content, expected behavior, and remediation so NodeZero handles those cases going forward.
• Build and maintain a library of regression and benchmark test cases so newly added coverage doesn't silently regress over time.
• Monitor production pentests for missed findings and false positives; create and triage Jira tickets to drive issues to resolution.
• Work directly with customers and internal teams to investigate findings, explain attack paths, and address questions about web application coverage and results.
• Author technical blog posts and research write-ups showcasing new exploits, edge cases, and attack methodologies.
• Mentor teammates and contribute to continuous improvement of team processes, methodology, and testing standards.

Benefits

• health, vision & dental insurance for you and your family
• a flexible vacation policy
• generous parental leave
• competitive salary
• equity package in the form of stock options