Security Engineer - Red Team

Location: Remote

HashiCorp is a fast-growing startup that solves development, operations, and security challenges in infrastructure so organizations can focus on business-critical tasks. We build tools to ease these decisions by presenting solutions that span the gaps. Our tools manage both physical machines and virtual machines, Windows, and Linux, SaaS and IaaS, etc. Our open source software is used by millions of users to provision, secure, connect, and run any infrastructure for any application. The Global 2000 uses our enterprise software to accelerate application delivery and drive innovation through software. 

We're looking for Offensive Security Engineers to join our Vulnerability Research & Red Team.This team helps HashiCorp through vulnerability discovery, disclosure and mitigation in our products, services, infrastructure, and ecosystem. This person will be responsible for performing attack simulations, adversarial threat modeling, penetration tests, and security reviews for HashiCorp products and services. You will be responsible for discovering vulnerabilities at HashiCorp, its products and services and conduct threat modeling exercises on people, processes, and technologies that build up our products and services. You will also design red team exercises in collaboration with other security teams to help improve our security incident response and overall security program.

As a member of our Red Team, you’ll be responsible for ensuring that HashiCorp's products, services, and processes are continuously tested and resilient against  an attack from threat actors. You’ll be working with the team to focus on the systems, services, and processes that protect HashiCorp’s most valuable resources, and communicate with internal and external stakeholders as needed. 

Engineering at HashiCorp is largely a remote team. While prior experience working remotely isn't required, we are looking for team members who perform well given a high level of independence and autonomy.

HashiCorp embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. We believe the more inclusive we are, the better our company will be

In this role, your responsibilities will include:

• Partner with Engineering, Product, IT, and other Security functions to drive security improvement across the organization
• Provide an adversarial perspective that productively challenges assumptions and decisions to improve security
• Collaboratively define threat models, scope, and prioritize offensive security engagements. Integrate offensive security into security development lifecycle
• Research emerging attack vectors and techniques, including targeting user endpoints, cloud platforms & systems, development infrastructure, system integrations, and everything in between.
• Design and plan offensive exercises based on research into threat actors most relevant to HashiCorp’s business operations
• Conduct attacks and emulate attack campaigns to mimic adversarial tactics, techniques and procedures.
• Build, modify, and implement tooling and automation to improve the offensive capabilities of the team to meet our evolving objectives and mitigate security threats
• Perform ongoing, proactive analysis of HashiCorp’s internal and external attack surface
• Participate in blue / purple-team exercises to improve efficacy of internal security programs
• Develop training programs on security-related topics such as threat modeling, user awareness, attack techniques, and mitigation strategies
• Apply and improve automated vulnerability discovery infrastructure in collaboration with Product Security, Detection & Response, and IT teams
• Advise  CSO & other leadership during the development of strategic plans and long-term roadmaps
• Document and effectively contextualize issues with respect to business impact
• Devise pragmatic methods of mitigating security risks
• Coordinate, collaborate, and communicate within the Red Team and with stakeholders in Security, Engineering, and other departments

Must-Have Qualifications

• 3-5+ years of work experience in security assessment of applications, network systems, protocols, cloud platforms, and infrastructure
• Demonstrated experience in performing vulnerability research, penetration testing, reverse engineering, application and infrastructure security assessment, and adversary emulation exercises.
• Experience in tailored reconnaissance, weaponization, exploitation, and lateral movement
• Knowledge of application, service, API, and endpoint attack techniques 
• Demonstrated technical experience across related security disciplines e.g. appsec, intrusion detection and response, network security, infrastructure security, etc
• Familiarity with attacking and defending cloud services running in modern cloud environments
• Ability to prioritize and track multiple projects in parallel
• Previous experience working in collaborative Red Teams

Desired Qualifications

• Published Security advisories, vulnerability research and bug bounties
• Experience implementing and scaling security programs in a startup environment
• Speaking / publishing in Tier 1 security conferences 
• Experience reviewing source code for control flow and security flaws
• Programming experience in Python and/or Go to build security tools
• Publicly released tools or modules

HashiCorp embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. We believe the more inclusive we are, the better our company will be.

#LI-RD1

#LI-Remote