Security Engineer, Red Team

The GitLab DevOps platform empowers 100,000+ organizations to deliver software faster and more efficiently. We are one of the world’s largest all-remote companies with 1,800+ team members and values that guide a culture where people embrace the belief that everyone can contribute.

As members of GitLab's Threat Management sub department, the Red Team conducts security exercises that emulate real-world threats. We do this to help assess and improve the effectiveness of the people, processes, and technologies used to keep our organization secure.

The Red Team does not perform penetration tests, and the work we do is not focused on delivering a list of vulnerabilities in a specific application or service. Instead, we emulate the real-world tactics, techniques, and procedures (TTPs) of threats that are most relevant to our organization.

GitLab's environment is very different than traditional organizations, and attacking it takes creativity. There are no wireless corporate networks to sniff, there is no Active Directory to roast, and you won't find a single hash being passed. To be successful on our Red Team, you must be able to adapt traditional attack techniques to an all-remote, all-cloud, and SaaS-based environment.

Our Red Team works together with our Blue Team. Even when planning attacks, we are collaborating to make these attacks more difficult to succeed. Our ultimate goal is never to successfully attack a system, but instead to help ensure our organization is prepared when that attack becomes a reality.

Responsibilities

• Maintain a deep understanding of GitLab's product offerings, how they work, and how they could be attacked or abused
• Propose, plan, and execute Red Team operations based on realistic threats to the organization
• Automate attack techniques, creating custom tooling for specific operations and contributing to general-purpose open source tools
• Write detailed reports covering the goals and outcomes of Red Team operations, including significant observations and recommendations
• Collaborate with GitLab's Security Incident Response Team (SIRT) to improve detection and response capabilities
• Collaborate with GitLab's Infrastructure Security Team to propose defensive improvements to cloud environments
• Collaborate across multiple product teams to propose enhancements and additions to GitLab's SaaS and self-hosted offerings
• Collaborate with non-technical teams to propose process and policy enhancements and additions
• Stay informed on current security trends, advisories, publications, and academic research that is relevant our organization

Requirements

• Ability to use GitLab
• Understanding of the MITRE ATT&CK framework
• Ability to automate tasks by writing basic scripts/programs - we often use Python and Go
• Ability to read and understand multiple programming languages, especially Ruby and Go
• Command-line experience with Linux-based operating systems
• Experience exploiting vulnerabilities in at least two of the following areas:
  • Web applications
  • Cloud environments (GCP / AWS)
  • Linux and/or MacOS workstations
  • Software supply chain
• Basic hands-on experience with at least one of the major cloud providers (GCP, AWS, Azure)
• An adversarial mindset - you must be able to put yourself in the mind of the attacker
• Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner

Hiring Process

Candidates for this position can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.

• Qualified candidates will be invited to schedule a 30 minute screening call with one of our Global Recruiters.
• Next, candidates will be invited to schedule an interview with Red Team Manager
• Candidates will then be invited to schedule an interview with Senior Red Team Engineer, Security Incident Response Team Manager, Trust & Safety Manager
• Candidates will then be invited to schedule an interview with Director of Security Operations
• Successful candidates will subsequently be made an offer via email

Additional details about our process can be found on our hiring page.

Compensation

For Colorado residents: The base salary range for this role’s listed level is currently $103,600-$188,700 for Colorado residents only. Grade level and salary ranges are determined through interviews and a review of education, experience, knowledge, skills, abilities of the applicant, equity with other team members, and alignment with market data. See more information on our benefits and equity. Sales roles are also eligible for incentive pay targeted at up to 100% of the offered base salary. Disclosure as required by the Colorado Equal Pay for >Equal Work Act, C.R.S. § 8-5-101 et seq.

To view the full job description and its compensation calculator, view our handbook. The compensation calculator can be found towards the bottom of the page.

About GitLab

GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 2,200 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.

We value results, transparency, sharing, freedom, efficiency, self-learning, frugality, collaboration, directness, kindness, diversity, inclusion and belonging, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.

Top 10 Reasons to Work for GitLab:

1. Mission: Everyone can contribute
2. Results: Fast growth, ambitious vision
3. Flexible Work Hours: Plan your day so you are there for other people & have time for personal interests
4. Transparency: Over 2,000 webpages in GitLab handbook, GitLab Unfiltered YouTube channel
5. Iteration: Empower people to be effective & have an impact, Merge Request rate, We dogfood our own product, Directly responsible individuals
6. Diversity, Inclusion & Belonging: A focus on gender parity, Team Member Resource Groups, other initiatives
7. Collaboration: Kindness, saying thanks, intentionally organize informal communication, no ego
8. Total Rewards: Competitive market rates for compensation, Equity compensation, global benefits (inclusive of office equipment)
9. Work/Life Harmony: Flexible workday, Friends and Family days
10. Remote Done Right: One of the world's largest all-remote companies, prolific inventor of remote best practices

See our culture page for more!

Work remotely from anywhere in the world. Curious to see what that looks like? Check out our remote manifesto and guides.

Country Hiring Guidelines: GitLab hires new team members in countries around the world. All of our roles are remote, however some roles may carry specific location-based eligibility requirements. Our Talent Acquisition team can help answer any questions about location after starting the recruiting process.  

Privacy Policy: Please review our Recruitment Privacy Policy. Your privacy is important to us.

GitLab is proud to be an equal opportunity workplace and is an affirmative action employer. GitLab’s policies and practices relating to recruitment, employment, career development and advancement, promotion, and retirement are based solely on merit, regardless of race, color, religion, ancestry, sex (including pregnancy, lactation, sexual orientation, gender identity, or gender expression), national origin, age, citizenship, marital status, mental or physical disability, genetic information (including family medical history), discharge status from the military, protected veteran status (which includes disabled veterans, recently separated veterans, active duty wartime or campaign badge veterans, and Armed Forces service medal veterans), or any other basis protected by law. GitLab will not tolerate discrimination or harassment based on any of these characteristics. See also GitLab’s EEO Policy and EEO is the Law. If you have a disability or special need that requires accommodation, please let us know during the recruiting process.