Offensive Security Engineer

Remote - US

Offensive Security Engineer

Location: Remote

HashiCorp is a fast-growing startup that solves development, operations, and security challenges in infrastructure so organizations can focus on business-critical tasks. We build tools to ease these decisions by presenting solutions that span the gaps. Our tools manage both physical machines and virtual machines, Windows, and Linux, SaaS and IaaS, etc. Our open source software is used by millions of users to provision, secure, connect, and run any infrastructure for any application. The Global 2000 uses our enterprise software to accelerate application delivery and drive innovation through software. 

We're looking for Offensive Security Engineers to join our Vulnerability Research & Red Team.This team will help HashiCorp through vulnerability discovery, disclosure and mitigation in our products, services, infrastructure and ecosystem. This person will be responsible for leading adversarial threat modeling, penetration tests and security reviews for HashiCorp products and services. You will be responsible for discovering vulnerabilities at HashiCorp, its products and services and conduct threat modeling exercises on people, processes and technologies that build up our products and services. You will also design red team exercises in collaboration with other security teams to help improve our security incident response program

As a member of our Red Team, you’ll be responsible for ensuring that HashiCorp's products, services and processes are continuously tested and ready for an attack from threat actors. You’ll be working with the team to focus on the systems, services and processes that protect HashiCorp’s most valuable resources, communicate with internal and external stakeholders as needed. 

Engineering at HashiCorp is largely a remote team. While prior experience working remotely isn't required, we are looking for team members who perform well given a high level of independence and autonomy.

HashiCorp embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. We believe the more inclusive we are, the better our company will be

In this role, your responsibilities will include:

  • Document and model our infrastructure from an attacker's perspective
  • Build tooling to automate this and use this model to inform and drive our assessments
  • Perform scoped and open-ended assessments on internal and external facing systems
  • Perform research to identify new ways of achieving your mission, with an emphasis of open-sourcing wherever possible
  • Collaboratively define threat models, scope, and prioritize offensive security engagements. Integrate offensive security into security development lifecycle
  • Research, reproduce and respond to various security vulnerabilities reported to HashiCorp
  • Conduct attacks and emulate attack campaigns to mimic adversarial tactics, techniques and procedures.
  • Participate in blue / purple-team exercises to improve efficacy of internal security programs
  • Develop training programs on security-related topics such as threat modeling and secure coding for larger engineering teams
  • Apply and improve automated vulnerability discovery infrastructure in collaboration with Product Security teams
  • Demonstrated experience in leading vulnerability research, penetration testing, reverse engineering, application and infrastructure security.
  • Assist CSO & other leadership to develop strategic plans and long-term roadmaps
  • Partner with other engineering teams to address challenges related to a broad spectrum of threat actors.
  • Research emerging attack vectors and techniques 
  • Design / conduct CTF exercises for training and awareness of security and operational teams

Must-Have Qualifications

  • 3-5+ years of work experience in security assessment of applications, network systems, protocols, cloud and infrastructure
  • Experience in tailored reconnaissance, weaponization, exploitation and lateral movement
  • Deep knowledge of Application, Web and Network penetration testing techniques 
  • Application analysis (fuzzing, reverse engineering, code analysis)
  • Demonstrated technical experience across related security disciplines e.g. appsec, intrusion detection and response, network security, infrastructure security, etc
  • Familiarity with securing cloud services running in Modern Cloud environments
  • Ability to prioritize and track multiple projects in parallel
  • Previous experience working in collaborative Red Teams.

Desired Qualifications

  • Published Security advisories, vulnerability research and bug bounties
  • Experience implementing and scaling security programs in a startup environment
  • Speaking / publishing in Tier 1 security conferences 
  • Experience reviewing source code for control flow and security flaws
  • Publicly released tools or modules

HashiCorp embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. We believe the more inclusive we are, the better our company will be.


Did we miss something?

Do you believe you'd be a great fit for this role, but the description above doesn't quite match your skills or experience? We'd still like to hear from you.

Stay Informed

Subscribe to our monthly newsletter to get the latest news and product updates.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now