The Offensive Security Engineer is responsible for proactively identifying, validating, and helping remediate security weaknesses across the company’s SaaS platform, which includes multiple customer-facing web applications, APIs, backend microservices, and cloud-native infrastructure deployed across a multi-cloud environment.
This role works closely with Engineering, DevOps/DevSecOps, and Product teams to ensure that vulnerabilities are discovered early, reliably reproduced, documented, and remediated efficiently, with minimal impact to production systems or data.
The Offensive Security Engineer will help lead internal offensive security initiatives (e.g., Pentest), lead red team exercises, participate in blue or purple team exercises, assess emerging exploits, participate in incident response exercises when applicable, and assist in maturing the company’s security posture.
Perform authorized application security pentest on web apps, APIs, cloud infrastructure, and microservices.
Identify common classes of vulnerabilities (e.g., authentication/authorization weaknesses, logic flaws, input validation issues).
Validate findings and provide actionable guidance to engineering teams.
Conduct and contribute to threat modeling and design reviews.
Maintain the internal pentest framework and update it based on industry standards where applicable.
Assess Cloud/DevOps engineers to secure CI/CD pipelines.
Work with containerized workloads and serverless components.
Obtain a strong understanding of the company’s products and architecture to discover high-impact weaknesses.
Research emerging attacks/exploits and techniques relevant to multi-cloud, SaaS, or microservice architectures.
Scope and engineer red team exercises with defined flags, goals, and safety boundaries.
Partner with defensive teams during purple team engagements to improve detection and response.
Provide engineering teams with reproduction steps, risk context, and prescriptive remediation options (i.e., remediation written from a developer's point of view (POV))
Participate in security design discussions and architecture reviews.
Assist in automation of safe, controlled security testing (e.g., integrating SAST/DAST tooling, security checks within CI/CD).
Develop scripts or utilities to support secure testing workflows (not exploit tools).
Implement and test emergent exploit tooling to support ongoing changes in the threat landscape.
Maintain documentation for vulnerability assessments/pentest, retesting, and mitigation tracking in ITSM tooling.
Support SOC 2, ISO 27001, and customer security questionnaires by providing validated security test evidence and providing technical POV’s when necessary.

Requirements

Bachelor's degree in Cyber Security, Computer or Software Engineering, Computer Science, Security Engineering, Information Management, Information Science, or a related technical field preferred OR equivalent experience
One or more of the following certifications - ( required ) Offensive Security Certification: OSCP, OSEP, or OSWE Global Information Assurance Certification (GIAC): GXPN
5-10+ years of Offensive Security and Cloud Security experience
Demonstrated experience conducting network, web application, API, and cloud penetration tests across complex enterprise environments
Expert knowledge of OWASP Top 10 (including API)
Experience with OWASP Top 10 (LLM)
Experience in Cloud Vulnerability management, configuration, and validation using various tools across multi-cloud environments
Cloud-related certification in either AWS or GCP
Proficiency using both the AWS Management Console and the AWS Command Line Interface (CLI)
Experience mentoring junior personnel in offensive security practices
Expert with offensive security and vulnerability scanning tools and reporting
Expert with vulnerability management scoring methodologies
Strong hands-on expertise in developing proof-of-concept (PoC) exploits to validate real-world impact of discovered vulnerabilities
Expert knowledge of offensive security tools and frameworks (e.g., Burp Suite, ASVS, SANs top 25, Metasploit, BloodHound)
Proficiency in manual exploitation techniques, including authentication bypasses, privilege escalation, and lateral movement
Experience assessing and exploiting modern cloud and containerized environments (e.g., AWS, Azure, GCP, Kubernetes)
Solid understanding of secure coding flaws and vulnerability types (OWASP Top 10, business logic flaws, memory corruption)
Ability to write custom scripts or tooling in languages such as Python, Bash, or Go to support testing and exploitation
Subject Matter Specialist or Expert at validating detection and response capabilities through adversary emulation or purple team exercises
Proven ability to produce clear, actionable reports that translate technical findings for engineering teams, and into business risk and remediation guidance.

Benefits

📊 Check your resume score for this job Improve your chances of getting an interview by checking your resume score before you apply. Check Resume Score

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

penetration testingcloud securityvulnerability managementsecure codingproof-of-concept exploitsmanual exploitation techniquesthreat modelingincident responseautomation of security testingvulnerability assessment

Soft Skills

mentoringcommunicationcollaborationreport writingproblem solvingleadershipanalytical thinkingattention to detailadaptabilitycritical thinking

Certifications

OSCPOSEPOSWEGXPNAWS certificationGCP certification