Senior Principal Cyber Security Engineer - Application Security

Job Title: Sr. Principal Security Engineer

Team: Product Security / Offensive Security

Job Summary:

We are seeking a highly experienced and technically proficient Sr. Principal Security Engineer to lead the offensive security efforts for our applications and platforms.

This role is a hands-on, individual contributor position focused on proactive threat emulation, vulnerability research, and full-scope red team operations. You will be responsible for identifying and exploiting complex vulnerabilities across our web applications, APIs, and cloud infrastructure, while simultaneously acting as the top-tier subject matter expert to mentor developers and integrate advanced security controls into the CI/CD pipeline.

Responsibilities:

Adversary Simulation & Red Team Operations: Plan and execute sophisticated red team operations and adversary emulation exercises to test the resilience of our applications, infrastructure, and defensive capabilities.

Advanced Penetration Testing: Conduct comprehensive, manual penetration tests and vulnerability assessments, with a focus on discovering business logic flaws and zero-day vulnerabilities in web applications, APIs, and microservices.

Secure Development Lifecycle: Embed security into the SDLC by performing in-depth code reviews, leading threat modeling workshops (e.g., using STRIDE or PASTA), and providing technical guidance to development teams on remediation of OWASP Top 10 and other critical security issues.

Security Tooling & Automation: Evaluate, integrate, and manage advanced security testing tools (e.g., Burp Suite Enterprise, SAST, DAST, and SCA) into the CI/CD pipeline to automate security checks and maintain continuous security posture.

Vulnerability Research: Stay current with the latest exploits, attack vectors, and security research. Develop custom exploits and scripts using languages like Python or Go to simulate real-world attacks.

Required Qualifications:

Experience:

7-10+ years of progressive experience in cybersecurity, with at least 3 years in a dedicated offensive security, red team, or advanced penetration testing role.

Demonstrated experience with a wide range of attack methodologies and a proven track record of discovering and exploiting complex vulnerabilities.

Technical Expertise:

Expert-level proficiency with manual penetration testing tools, including Burp Suite Professional, Metasploit, and Cobalt Strike.

Strong practical knowledge of exploit development, reverse engineering, and hands-on experience with at least one scripting language (Python, Go, JavaScript, or Bash).

In-depth understanding of web application vulnerabilities, including the OWASP Top 10, CWE, and CVE databases.

Experience securing cloud environments (AWS, Azure, GCP) and working with containerization technologies (Docker, Kubernetes). Familiarity with both dynamic and static application security testing (DAST and SAST) methodologies.

Soft Skills & Education:

Exceptional problem-solving, analytical, and critical-thinking skills.

Excellent communication and mentoring skills, with the ability to explain complex technical vulnerabilities to both technical and non-technical audiences.

Certifications (Highly Desired):

Offensive Security Certified Professional (OSCP)

Offensive Security Certified Expert 3 (OSCE3)

GIAC Penetration Tester (GPEN) or GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

eLearnSecurity Web Application Penetration Tester eXtreme (eWPTXv2)

CISSP