Title: Application Security Engineer / Penetration tester
We are looking for an Application Security Engineer / Pentester with an offensive mindset to proactively identify and remediate vulnerabilities within our web applications. You will conduct deep-dive penetration tests, perform manual and automated code reviews of our Python backend, and ensure our containerized deployments are hardened against attack. Your goal is to move beyond simple scanning and think like an adversary to protect our data and our users.

• Web Penetration Testing: Perform end-to-end manual penetration testing on our web applications and APIs, identifying flaws in business logic, authentication, and session management.
• Secure Code Review: Conduct "Grey Box" and "White Box" assessments of Python source code to identify vulnerabilities (SSTI, Insecure Deserialization, Logic flaws).
• Vulnerability Research: Hunt for vulnerabilities across our stack, specifically targeting PostgreSQL (SQLi, permission escalation) and Docker (container escapes, insecure registry configs).
• Proof of Concept (PoC) Development: Create stable, reproducible exploits to demonstrate the impact of discovered vulnerabilities to the engineering team.
• Tooling & Automation: Fine-tune and manage high-fidelity security tools such as Burp Suite Professional, OWASP ZAP, Snyk, and Semgrep.
• Remediation Guidance: Work side-by-side with developers to provide actionable, code-level recommendations for fixing security bugs.

Technical Requirements

• Language Expertise: Strong proficiency in Python; ability to read and understand complex backend logic and write custom exploitation scripts.
• Database Security: Deep knowledge of PostgreSQL security, including row-level security, hardening, and preventing advanced injection techniques.
• Container Security: Practical experience securing and auditing Docker environments (Dockerfile hardening, image scanning, runtime security).
• Framework Mastery: Expert knowledge of the OWASP Top 10 and the Web Security Testing Guide (WSTG).
• Offensive Toolkit: Mastery of Burp Suite, SQLMap, Nuclei, and various DAST/SAST scanners.

Qualifications

• Experience: 3+ years in offensive security or application security engineering.
• Certifications (Preferred but not mandatory): OSCP, OSWA, or equivalent hands-on certifications.
• Mindset: A curious, persistent "hacker" mindset that doesn't stop at the first roadblock.