Job Description Summary
The Offensive Security Team is seeking a highly skilled Red Team Operator to help plan and execute authorized, threat-informed offensive security operations across Lowe's enterprise, cloud, identity, endpoint, and retail technology environments. This role will focus on realistic adversary emulation, initial access, C2 infrastructure, operational security, endpoint telemetry, evasion research, Active Directory, cloud identity, and offensive tooling.
The ideal candidate is a disciplined offensive security professional who can safely emulate modern adversary behavior, identify meaningful attack paths, and translate findings into actionable improvements for detection engineering, security operations, incident response, infrastructure, cloud, and identity teams. This role requires strong technical depth, sound judgment, clear communication, and the ability to operate ethically and professionally in sensitive environments.
This position will play a key role in strengthening Lowe's ability to prevent, detect, respond to, and recover from advanced cyber threats while helping improve the company's overall security posture through red team operations, purple team collaboration, control validation, and executive-ready reporting.
Key Responsibilities- Plan, scope, and execute authorized red team and adversary emulation operations across enterprise, cloud, identity, endpoint, application, and retail technology environments.
- Conduct realistic initial-access scenarios aligned to approved rules of engagement, including external attack surface testing, phishing simulation, identity abuse, public-facing application exploitation, SaaS/cloud footholds, and other authorized access paths.
- Design, deploy, operate, and safely decommission C2 infrastructure used during approved red team operations.
- Maintain strong operational security practices across tooling, infrastructure, logging exposure, operator behavior, payload safety, engagement deconfliction, and post-operation cleanup.
- Develop, modify, test, and review offensive tooling, payloads, automation, and tradecraft in controlled and authorized environments.
- Conduct endpoint telemetry and evasion research to understand how security controls detect, block, or miss adversary behavior.
- Identify and validate attack paths involving Active Directory, ADCS, Kerberos, privileged access, trust relationships, Microsoft Entra ID, cloud IAM, SaaS platforms, and endpoint controls.
- Partner with Detection Engineering, SOC, Threat Hunting, and Incident Response teams to improve visibility, alerting, response playbooks, and control effectiveness.
- Translate red team findings into clear technical reports, executive summaries, attack narratives, detection gaps, and prioritized remediation recommendations.
- Map adversary behaviors, findings, and emulation plans to common frameworks such as MITRE ATT&CK.
- Support purple team exercises that validate detection logic, response workflows, and defensive control improvements.
- Stay current on adversary tradecraft, offensive security research, cloud and identity attack paths, endpoint security capabilities, and emerging defensive technologies.
- Mentor other offensive security team members and contribute to the development of repeatable methodologies, lab environments, tooling standards, and operational processes.
Required Qualifications- Bachelor's Degree in Computer Science, CIS, Engineering, Business Administration, Cybersecurity, or related field (or equivalent work or military experience in a related field)
- 4 years of experience in information security
- Intermediate understanding of fundamental security and network concepts (Windows and Unix security: OS lockdown; logging and monitoring; application security; user access; perimeter protection principles, network communication rules; intrusion detection and analysis methods; etc.).
Preferred Qualifications- 6+ years of hands-on offensive security experience, including at least 4+ years conducting full-scope red team or adversary emulation operations in enterprise environments. Equivalent demonstrated capability may substitute for strict year requirements.
- Demonstrated experience planning and executing authorized initial-access operations across one or more of the following: phishing simulation, external attack surface exploitation, public-facing application exploitation, identity abuse, SaaS/cloud footholds, or trusted third-party/supply-chain-style scenarios.
- Strong understanding of OPSEC for red team operations, including infrastructure separation, engagement deconfliction, logging discipline, payload safety, operator attribution control, burn procedures, and clear rules of engagement.
- Advanced experience with C2 infrastructure design and operations, including staging, redirector concepts, operator workflows, infrastructure lifecycle management, detection exposure reduction, and post-engagement teardown.
- Hands-on experience with endpoint security telemetry and evasion research in authorized lab or enterprise testing environments, including the ability to reason about EDR/AV behavior, security logs, SIEM visibility, and detection opportunities without relying only on public tools.
- Technical ability to develop, modify, or review offensive tooling using at least one scripting language such as Python or PowerShell and at least one systems or compiled language such as C, C++, C#, Go, or Rust.
- Experience with payload, implant, or agent development in authorized environments, including safe execution controls, error handling, logging awareness, operator control, and post-operation cleanup.
- Deep understanding of Windows enterprise attack paths, including Active Directory, Kerberos, ADCS, delegation, trusts, privileged access, endpoint hardening, and identity-based lateral movement.
- Working knowledge of cloud and SaaS attack paths, especially Microsoft Entra ID/Azure, Google Cloud, Google Workspace, OAuth/application consent, IAM misconfiguration, service accounts, and cloud logging.
- Ability to map operations to MITRE ATT&CK and produce actionable outputs for blue teams, including detection gaps, control weaknesses, attack-path narratives, and remediation recommendations. MITRE specifically describes ATT&CK as a common language and framework for red teams to emulate specific threats and plan operations.•
- Excellent written and verbal communication skills, with the ability to brief technical operators, SOC analysts, engineering teams, and leadership
