Run a Federal Burp Suite Enterprise Program - Remote

Bring your own Burp extensions. We'll hand you the keys to the program.

The Pitch

Most AppSec jobs hand you a queue. This one hands you a program. phia is hiring a Lead Application Security Engineer to drive the dynamic application security testing (DAST) program for a federal civilian client operating one of the more complex enterprise environments in government - a large attack surface with real, persistent cyber adversary activity, where application security is treated as mission, not paperwork.

You'll join a four-person skunk-works AppSec team - two highly technical federal engineers and two contractors - that owns its entire stack end to end: self-managed Linux servers in AWS, Burp Suite Enterprise running nightly authenticated scans across multiple environments, Burp Suite Professional for hands-on validation, custom extensions the team writes itself, GitHub Actions pipelines, and an active migration to OpenShift with Ansible. No ticket mills. No layers of approval between you and the work. The federal technical lead is a Linux/*nix engineer's engineer who wants a peer who can drive the conversation - and back it up on the keyboard.

What You'll Own

• The Burp Suite Enterprise program, full stack. Architect,operate, and continuously improve scheduled authenticated DAST scanning - recorded login sequences, session handling, scan tuning, and failure diagnosis through logs and traces, not dashboards.
• Custom Burp extension development. Write and maintain extensions (Python/Jythonor Java/Montoya API) that solve authentication, validation, and workflow problems off-the-shelf tooling can't.
• Authenticated scanning against hard targets. MFA, one-time passwords, OAuth 2.0 (you know why client credentials beat authorization code for unattended scanning), SSO federation, and PIV/smart-card certificate environments.
• Manual validation in Burp Suite Professional.Verify remediations, kill false positives with evidence, and defend findings to a technical audience that will push back.
• Technical leadership across teams. Lead and drive discussions with DevOps, platform, and identity stakeholders outside the security team - you set direction, build consensus, and bring solutions, not status updates.
• The infrastructure underneath it all. Administer the team's Linux servers in AWS (EC2, Cloud Formation), support the migration to OpenShift, and convert legacy Python/shell tooling into Ansible roles and playbooks.
• CI/CD security integration.GitHub Actions workflows (yes, you should know workflow_dispatch from workflow_call), Dependabot, and reusable security gates across repositories.

What We Need From You

• 8+ years in engineering/security, with deep, recent, hands-on Burp Suite Enterprise and Burp Suite Professional operations - you have configured authenticated scans, not just reviewed their output
• Demonstrated experience writing or significantly modifying custom Burp extensions (Python/Jython, Java, or Montoya API)
• Strong Linux/Unix command-line fluency - comfortable diagnosing services, disk, memory, and network from a shell, daily

• Python and Bash scripting; Ansible exposure; experience with Docker/Kubernetes (OpenShift a plus) and AWS
• Experience integrating security tooling into GitHub Actions or comparable CI/CD pipelines
• Proven technical leadership: you have driven programs or technical decisions across teams and can hold your own - energetically - in a room of senior engineers
• An active, visible interest in AppSec and DevSecOps research: you test new techniques, follow the field, and bring ideas to the team unprompted
• U.S. citizenship and the ability to complete federal Public Trust vetting (no security clearance required)

What Sets Candidates Apart

• Published Burp extensions (BAppStore or GitHub), conference talks, blog posts, or open-source security tooling
• Experience scripting around OTP/TOTP, PIV, or certificate-based authentication for automated scanning
• Veracode SAST, Contrast IAST, or bug bounty validation experience (HackerOne or similar)
• Prior federal or regulated-environment AppSec work (NIST 800-53 / FISMA familiarity)

Logistics

• Fully remote, full-time, supporting a federal civilian client (client team is on-site; contractors are remote)
• 8.5-hour workday anchored by an 8:30 AM ET daily standup - flexible around that rhythm
• U.S. citizens only; Public Trust vetting required

phia offers excellent benefits to enhance work-life balance, including the following:

• Medical Insurance
• Dental Insurance
• Vision Insurance
• Life Insurance
• Short Term & Long-Term Disability
• 401k Retirement Savings Plan with Company Match
• Paid Holidays
• Paid Time Off (PTO)
• Tuition and Professional Development Assistance