Staff Engineer, Offensive Security

📋 Description

• • As a Staff Engineer, Offensive Security at Twilio Inc., you will operate at the forefront of cybersecurity, acting as a crucial Technical Lead within the security team. Your role transcends traditional bug hunting; you will be instrumental in designing and executing complex attack chains that expose systemic risks across Twilio's vast technological landscape. This position demands a deep dive into both offensive and defensive security strategies, requiring you to spend significant time writing custom code, researching novel bypass techniques, and meticulously executing tests to ensure the robustness of our systems.
• • You will be responsible for comprehensive Full-Stack Penetration Testing, meticulously examining web applications, APIs, and mobile applications (iOS/Android) for vulnerabilities. This includes both manual testing methodologies and the strategic application of automated tools to identify weaknesses.
• • Your expertise will extend to Internal and External Network Audits, where you will conduct thorough assessments of network infrastructure and cloud environments using a diverse array of specialized tooling.
• • A key responsibility involves Vulnerability Validation, where you will triage and validate reports from automated scanners and bug bounty hunters. This critical step ensures the accuracy of findings, filters out false positives, and prioritizes the escalation of genuine, high-impact vulnerabilities.
• • In an era of rapidly evolving AI, you will perform initial AI/LLM Probing, conducting prompt injection and jailbreak tests on AI prototypes, services, and applications. You will leverage established checklists, such as the OWASP Top 10 for LLMs, to systematically assess the security posture of these advanced systems.
• • You will be tasked with Technical Reporting, crafting high-quality, detailed reports that clearly articulate the "path to compromise." These reports will provide developers with clear, reproducible steps to understand and remediate identified vulnerabilities.
• • Maintaining and enhancing the team's testing infrastructure is also part of your remit. This includes managing and updating essential tools like Burp Suite Professional and basic C2 listeners, ensuring the team has the most effective resources at its disposal.
• • You will provide direct Remediation Support to engineering teams, offering expert technical guidance on how to effectively patch critical vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and Insecure Direct Object References (IDOR).
• • A significant aspect of this role involves Adversary Emulation. You will design and lead multi-week Red Team operations, meticulously mimicking the tactics, techniques, and procedures (TTPs) of specific threat actors (APTs) to rigorously test the detection capabilities of our Security Incident Response Team (SIRT).
• • Custom Exploit Development will be a core activity, where you will build custom payloads, droppers, and obfuscated scripts designed to bypass Endpoint Detection and Response (EDR) and Antivirus (AV) solutions, maintaining stealth during simulated attacks.
• • You will contribute to AI Red Teaming Architecture by building automated testing frameworks for AI systems. This may involve utilizing tools like PyRIT, Promptfoo, or Garak to systematically test AI models for vulnerabilities related to sensitive data leakage and other AI-specific security concerns.
• • Your responsibilities will include executing sophisticated Cloud & Infrastructure Attacks against platforms like AWS, Azure, and Kubernetes, with a specific focus on identifying and exploiting IAM misconfigurations and container escape vulnerabilities.
• • You will actively participate in Purple Teaming exercises, collaborating closely with SIRT and Detection Engineering teams to fine-tune SIEM alerts based on the techniques observed and employed during offensive engagements.
• • Finally, you will provide strategic oversight for the organization's bug bounty program. This involves analyzing submission trends to identify recurring security weaknesses and proactively suggesting broad architectural security changes to prevent future incidents.