Penetration Tester / Red Team

We are seeking a highly skilled Web & API Security Engineer with strong offensive security expertise. This is a hands-on role where youll identify and exploit vulnerabilities in modern web applications and APIs, simulate real-world attacks, and collaborate with engineering teams to strengthen defenses. If you thrive on manual testing, creative problem-solving, and thinking like an adversary, this role is for you.

What You'll Do:

Perform manual penetration testing of production-grade web apps and APIs (REST, GraphQL, gRPC).

Identify advanced vulnerabilities beyond standard CVEs such as logic flaws, authentication bypasses, and chained exploits.

Simulate adversarial behavior and design realistic attack paths.

Assess and bypass security controls, including WAFs, rate limits, and token-based authentication systems.

Explore edge cases and abuse scenarios that automated tools often miss.

Deliver clear, actionable documentation to engineering teams to enable fast remediation.

Operate with full autonomy over your testing strategy, tools, and targets.

What Were Looking For:

Proven experience in manual penetration testing of web applications and APIs.

Strong understanding of HTTP, cookies, sessions, JWTs, CORS, and authentication flows.

Expertise in AuthN/AuthZ vulnerabilities (e.g., OAuth abuse, IDOR, BOLA, SSO bypass).

Familiarity with API-specific attack vectors: schema enforcement issues, replay attacks, parameter pollution.

Proficiency with tools such as Burp Suite Pro, Postman, ffuf, sqlmap, jwt_tool, mitmproxy.

Scripting ability in Python or Bash for building PoCs or automation.

A strong threat modeling mindset you think in terms of abuse cases, not just known CVEs.

Ideal Traits

Operates independently with a red-team mindset.

Shows extreme ownership and attention to detail.

Thrives in a fast-paced, high-accountability environment.

Passionate about uncovering the unexpected and making products safer