About the Role:The Offensive Security Engineer is a hybrid role combining hands-on penetration testing, adversary simulation, and security engineering. This position is responsible for proactively identifying, exploiting, and validating vulnerabilities while also partnering with engineering teams to design, implement, and improve security controls across the environment.
This position reports to our Cybersecurity Manager and is a hybrid role (3 days in office per week).
What You Will Be Doing:- Experience with leveraging components of a modern software development stack to attack companies, including CI, container orchestration systems (Kubernetes/Docker), cloud providers (AWS), and be able to give hardening suggestions.
- Conduct offensive security engagements, including Red Team operations, threat-based evaluations, and vulnerability research and exploitation against both internal and external-facing systems.
- Plan and execute black-box, grey-box, and white-box web application penetration tests against RunBuggy production and staging environments.
- Maintain tooling (Burp, Metasploit, C2 frameworks, custom scripts) for exploitation, detection validation, and security assessments.
- Conduct API security testing (REST, GraphQL) including authentication bypass, injection, broken object-level authorization (BOLA/IDOR), and business logic flaws.
- Perform cloud configuration reviews (AWS) and assess infrastructure-level exposure where it intersects with web application attack surfaces.
- Produce clear, risk-ranked findings reports with reproducible proof-of-concept and actionable remediation guidance for both technical and non-technical audiences.
- Collaborate with engineering to validate fixes and re-test remediated vulnerabilities.
- Perform social engineering exercises (phishing, credential harvesting), where applicable.
- Contribute to bug bounty triage, third-party assessment coordination, and security tooling selection.
- Support compliance efforts (SOC 2, PCI DSS) by providing evidence and attestation tied to pen test scope and outcomes.
- Stay current on emerging attack techniques and translate threat intelligence into test cases relevant to RunBuggy's stack.
- Other duties as assigned.
Requirements
What You Bring to the Team by Way of Skills and Experience:- Bachelor's degree in Cybersecurity or related field required.
- 3+ years of hands-on web application penetration testing experience in a professional or consulting capacity.
- Passion and demonstrated experience for challenging security assumptions.
- Deep familiarity with MITRE ATT&CK, OWASP Top 10, OWASP API Security Top 10, and OWASP Top 10 for LLMs.
- Proficiency with standard tooling: Burp Suite, OWASP ZAP, Nmap, Metasploit, SQLmap, Nikto.
- Demonstrated ability to exploit and document authentication/authorization flaws, injection vulnerabilities, XXE, SSRF, deserialization issues, and insecure direct object references.
- Strong written communications: findings reports must be usable by both developers and executives.
- Experience testing RESTful and/or GraphQL APIs.
- Experience with AWS environment security assessment (IAM misconfiguration, S3 exposure, Lambda attack surface).
- Scripting proficiency in Python, Bash, or JavaScript for custom tooling and automation.
- Familiarity with automotive, logistics, or fintech regulatory requirements (PCI DSS, SOC 2 Type II).
- Prior experience in a startup or high-growth SaaS environment where speed and security have to coexist.
Certificates, Licenses, and/or Registrations:- OSCP, GWAPT, eWPT, or equivalent. CEH is accepted but is less weighted than practical certs.
What is in it for You and Why you Should Apply:- Market-competitive pay based on education, experience, and location.
- Highly competitive medical, dental, vision, Life w/ AD&D, Short-Term Disability insurance, Long-Term Disability insurance, pet insurance, identity theft protection, and a 401(k) retirement savings plan.
- Employee wellness program.
- Employee rewards, discounts, and recognition programs.
- Generous company-paid holidays (12 per year), vacation, and sick time.
- Paid paternity/maternity leave.
- Monthly connectivity/home office stipend if working from home 5 days a week.
- A supportive and positive space for you to grow and expand your career.
Pay Range Disclosure: The advertised range represents the expected pay range for this position at the time of posting based on education, experience, skills, location, and other factors.
Salary Description
$100,000 to $120,000/yr. DOE
