Ethical Hacker / Offensive Security Engineer

We are looking for an Ethical Hacker / Offensive Security Engineer to strengthen our offensive security at StrangeBee.

In this role, you will identify, exploit, analyze, and help remediate vulnerabilities across our products, infrastructure, internal systems, and security processes. You will work closely with Engineering, Product, SOC, Compliance & Risk, and Infrastructure teams to embed security into our software development lifecycle and day‑to‑day operations.

You will also contribute to security culture, support incident investigations, train developers, conduct research, and help shape the offensive security roadmap. Your work will directly improve the security, resilience, and trustworthiness of our incident response platform used by security teams around the world.

Responsibilities

• Lead and perform offensive security assessments, including web application, API, infrastructure, cloud, and internal system penetration tests.
• Identify, exploit, document, and prioritize vulnerabilities with clear technical and business impact.
• Work closely with Engineering teams to help remediate vulnerabilities and improve secure development practices.
• Contribute to the Secure Development Lifecycle by integrating security reviews, threat modeling, secure coding guidance, and vulnerability management into engineering workflows.
• Support security incident investigations by providing offensive security expertise, attack path analysis, forensic reasoning, and adversarial thinking.
• Conduct vulnerability research on our products, dependencies, environments, and emerging attack techniques.
• Participate in CTFs, bug bounty‑style research, labs, and internal security challenges to continuously sharpen offensive capabilities.
• Build internal tools, scripts, PoCs, and automation to improve security testing, vulnerability analysis, and detection capabilities.
• Contribute to the security roadmap, both in run activities and build initiatives.
• Help improve vulnerability management processes: qualification, severity assessment, remediation tracking, validation, and reporting.
• Deliver security awareness sessions and hands‑on training for developers and technical teams.
• Promote a strong security culture based on collaboration, curiosity, pragmatism, and continuous improvement.
• Collaborate with SOC, Compliance & Risk, Infrastructure, Product, and Engineering teams to align offensive security work with business priorities and customer trust.

Success criteria (6 to 12 months)

• Performed several high‑quality offensive security assessments with clear, actionable, and well‑prioritized findings.
• Demonstrated strong autonomy in identifying, validating, documenting, and following up on vulnerabilities.
• Vulnerability reports are precise and useful for both engineering and leadership audiences.
• Contributed to improving remediation velocity and security awareness within Engineering teams.
• Helped strengthen the Secure Development Lifecycle through security reviews, threat modeling, or tooling.
• Delivered at least one meaningful internal security training, workshop, or awareness initiative.
• Contributed to the offensive security roadmap with concrete improvements, tooling, research, or process enhancements.
• Recognized by the team as a trusted, collaborative, and pragmatic teammate.

Requirements

Technical Skills

• Strong hands‑on experience in offensive security, penetration testing (incl. white box), vulnerability research, or bug bounty.
• Solid understanding of web application and API security, authentication, authorization and common vulnerability classes.
• Good knowledge of OWASP Top 10, secure coding principles, threat modeling, and vulnerability management.
• Experience with offensive security tools: Burp Suite, Nmap, Metasploit, custom scripts, fuzzing, exploitation frameworks, or equivalent.
• Ability to write clear proof‑of‑concepts and technical reports.
• Good understanding of modern software architectures, CI/CD pipelines, cloud environments, containers, and infrastructure security.
• Ability to analyze vulnerabilities from both technical and business impact perspectives.
• Comfortable reading code and collaborating with developers on remediation.
• Experience with incident investigation, attack path analysis, or adversary simulation is a strong plus.
• Experience with CTFs, bug bounty programs, CVE research, exploit development, or security labs is a strong plus.
• Knowledge of SOC operations, detection engineering, compliance expectations, or security frameworks is appreciated.

Soft skills

• Excellent communication skills with both technical and non‑technical audiences.
• Strong autonomy, ownership, and analytical thinking.
• High curiosity and continuous learning mindset.
• Pragmatic approach: able to balance risk, business impact, and engineering constraints.
• Collaborative, humble, and comfortable giving and receiving feedback.
• Ability to drive security improvements constructively.