Lead offensive and defensive security initiatives by performing thorough penetration testing on products and cloud infrastructure across AWS and GCP.. Operate within a multi-cloud environment featuring hybrid architectures combining containers and virtual machines.. Collaborate closely with fellow security engineers during critical pre-release testing phases to ensure robust security posture.
Responsibilities
- Partner with a peer penetration tester to conduct comprehensive security assessments of products deployed across AWS and GCP environments.
- Analyze IAM policies, service configurations, and cloud-native permission models within the Control Plane.
- Perform dynamic testing on web interfaces and API endpoints in the Data Plane and Web UI.
- Evaluate the security of hybrid infrastructure environments that integrate containers and Virtual Machines.
- Triage identified vulnerabilities and develop clear, reproducible proof-of-concept demonstrations.
- Work with Product Teams to communicate risks and ensure understanding of necessary remediation steps.
- Leverage AI and Large Language Models to automate reconnaissance, generate attack scenarios, analyze configurations, and assist in drafting vulnerability reports.
- Monitor and manage external bug bounty reports, validate findings, and coordinate communication with security researchers.
Requirements
- Possess in-depth architectural knowledge of both GCP and AWS, with the ability to navigate fluidly between the two platforms.
- Conduct manual reviews of complex IAM and resource hierarchies.
- Use native APIs or modern Cloud Security Posture Management (CSPM) tools to verify security controls.
- Have proven experience auditing and securing managed container platforms such as GKE Autopilot, GKE Standard, EKS, and ECS, as well as self-hosted or unmanaged environments like Kubernetes, k3s, and OCI-runc.
- Demonstrate the ability to integrate AI and LLM tools like Gemini and Claude into penetration testing workflows to improve speed and coverage.
- Hold expert-level knowledge of web application security and offensive testing techniques.
- Show deep familiarity with OWASP Top 10 vulnerabilities, modern web framework exploitation, and API security including REST and WebSockets.
- Have extensive hands-on experience performing manual security assessments using tools such as Burp Suite Professional or OWASP ZAP.
- Understand browser security features including CSP, CORS, SameSite cookies, and Subresource Integrity.
- Apply secure patterns for authentication and authorization, including OAuth 2.0, OIDC, and JWT.
- Configure and audit security headers such as HSTS, X-Frame-Options, and Permissions-Policy.
- Identify sophisticated security flaws that go undetected by automated scanners.
- Validate security findings through development of proof-of-concept exploits.
- Deliver actionable remediation recommendations to engineering teams.
- Be proficient in Python, Go, or Bash to reduce manual effort and streamline tasks.
- Develop custom scripts and tools to automate vulnerability discovery, validate security controls, and improve testing efficiency.
- Have a solid understanding of Terraform and cloud-native deployment practices.
- Be able to interpret and audit complex HCL configuration files to detect misconfigurations prior to deployment.
- Produce high-quality technical reports that are clear and actionable for product development teams.
Nice to Have
- Familiarity with Gatekeeper policies and Binary Authorization is considered a strong advantage.
Tech Stack
AWS, GCP, GKE Autopilot, GKE Standard, EKS, ECS, Kubernetes, k3s, OCI-runc, Gemini, Claude, Burp Suite Professional, OWASP ZAP, Python, Go, Bash, Terraform, HCL, IAM, CSPM, REST, WebSockets, OAuth 2.0, OIDC, JWT
Benefits
- Competitive total compensation package including base salary and eligibility for stock-based compensation
- Eligibility for stock-based compensation grants based on company and individual performance
- Collaborative, inclusive, and positive work culture
- Opportunities to take initiative and implement new ideas
- Support for building a lasting impact within the organization
Compensation
Base salary range: 120,000 CAD - 210,000 CAD. Equity: Eligibility for stock-based compensation grants based on company and individual performance. Competitive total compensation and benefits package
Team
Part of the security team, working alongside Penetration Testers and Cloud Security engineers within a company growing from 400 employees
- Stay Aligned
- Get It Done
- Customer Empathy
- Think Creatively
- Help Each Other Out
Additional Information
- The company serves high-profile clients including Fortune 500 companies, 9 out of 10 of the largest global banks, and the Department of Defense.
- Menlo Security is backed by major investors such as Vista Equity Partners, General Catalyst, JPMC, American Express, HSBC, and Ericsson Ventures.
- The ideal candidate is ethical, highly organized, deeply committed to completing tasks, service-oriented, open to feedback, and confident in providing it.
- Employment decisions are based on merit, competence, performance, and business needs.
- The company does not accept unsolicited resumes from recruitment agencies without a prior agreement in place.
- Menlo Security is an equal opportunity employer and does not discriminate on the basis of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, veteran status, or any other protected status.
