WebApp Offensive Security Engineer

Horizon3.ai, Inc.

Job Overview

Location

US, Remote

Job Type

Full-time

Full Job Description

📋 Description

• Perform hands-on, full-scope web application penetration tests against real customer applications, benchmark targets, and lab environments to identify vulnerabilities and attack paths.
• Review NodeZero platform results on live customer engagements to detect coverage gaps, blind spots, and missed edge-case attack scenarios that automated testing fails to identify.
• Manually reproduce and validate complex vulnerabilities—including SQL injection, XSS (reflected, stored, DOM-based), SSRF, SSTI/CSTI, IDOR/BOLA, authentication bypass, path traversal, and LFI—demonstrating end-to-end exploit chains against live environments without disruption.
• Develop reliable, production-safe proof-of-concept exploits and clear test cases that illustrate gaps in NodeZero’s autonomous testing capabilities.
• Partner directly with software engineers to translate manual findings into durable product improvements, defining detection logic, attack content, expected behavior, and remediation guidance for automated coverage.
• Build and maintain a library of regression and benchmark test cases to ensure newly added detection capabilities do not regress over time.
• Monitor production pentest results for missed findings and false positives, creating and triaging Jira tickets to drive resolution with engineering teams.
• Work directly with customers and internal teams to explain attack paths, clarify web application coverage, and address technical questions regarding NodeZero results.
• Author technical blog posts and research write-ups detailing novel exploits, edge-case methodologies, and offensive security insights.
• Mentor teammates and contribute to the continuous improvement of team testing standards, methodologies, and documentation practices.
• Stay current with emerging AI technologies and integrate AI-assisted tools into testing and research workflows to enhance efficiency and discovery.
• Communicate attack steps, impact, and remediation clearly to both technical engineers and non-technical stakeholders through written and verbal means.
• Maintain strong technical documentation of findings, methodologies, and recommendations for internal and external audiences.
• Operate independently with minimal supervision, managing multiple priorities while maintaining high standards of precision and safety in live customer environments.
• Demonstrate curiosity and adaptability by quickly learning new technologies, frameworks, and target stacks as customer environments evolve.
• Contribute to a culture of respect, collaboration, ownership, and results within a remote, high-performing cybersecurity team.

🎯 Requirements

• Extensive hands-on experience conducting full-scope web application penetration tests.
• Deep, practical knowledge of common and uncommon web vulnerability classes including SQLi, XSS, SSRF, SSTI/CSTI, IDOR/BOLA, authentication/authorization bypass, path traversal, and LFI, with ability to chain them for impact.
• Strong command of proxy tools like Burp Suite and browser developer tools.
• Ability to script in Python or similar to reproduce findings and build proof-of-concept exploits.
• Proven track record of identifying business-logic and edge-case flaws that automated scanners miss.
• Strong written and verbal communication skills, including technical documentation and stakeholder engagement.

🏖️ Benefits

• Competitive salary range of $196,000 - $242,000 with eligibility for equity in the form of stock options.
• Health, vision, and dental insurance for employee and family.
• Flexible vacation policy and generous parental leave.
• Inclusive, collaborative remote work culture with opportunities for career growth.
• Access to innovative AI-assisted tools and emerging technologies in offensive security.
• Opportunities to publish research, contribute to technical blogs, and mentor teammates.

Skills & Technologies

Python

PostgreSQL

Neo4j

Remote

$196k-242k

Ready to Apply?

Apply Externally

You will be redirected to an external site to apply.

AI Job Fit Analysis

Pro

See exactly how your profile matches this role — strengths, skill gaps, and what to do about them.

Horizon3.ai, Inc.

Visit Website

About Horizon3.ai, Inc.

Horizon3.ai provides autonomous security testing and attack surface management software. Its NodeZero platform continuously assesses enterprise networks, clouds, and applications to find exploitable weaknesses, validate fixes, and prioritize risks. The company serves Fortune 500, government, and mid-market organizations seeking proactive defense without manual red teams.

View Company Profile

Get more remote jobs like this

Subscribe to the weekly newsletter for similar remote roles and curated hiring updates.

Weekly remote jobs and featured talent.

No spam. Only curated remote roles and product updates. You can unsubscribe anytime.