HashiCorp Hiring for Sr. Security Engineer, Offensive at Toronto, ON Full Time

At HashiCorp, we’re building a generation-defining infrastructure software company, powered by our core principles and a growing team of talented, committed professionals working together to help organizations seamlessly transition to and operate in the cloud. Founded in 2012 and headquartered in San Francisco, 85 percent of our employees work remotely, strategically distributed around the globe. From our inception we built the company with a remote-first approach because we believe talent has no boundaries.

Security Engineer – Red Team

Location: Remote

About HashiCorp

HashiCorp is a fast-growing startup that solves development, operations, and security challenges in infrastructure so organizations can focus on business-critical tasks. We build tools to ease these decisions by presenting solutions that span the gaps. Our tools manage both physical machines and virtual machines, Windows, and Linux, SaaS and IaaS, etc. Our open source software is used by millions of users to provision, secure, connect, and run any infrastructure for any application. The Global 2000 uses our enterprise software to accelerate application delivery and drive innovation through software.

Engineering at HashiCorp is largely a remote team. While prior experience working remotely isn’t required, we are looking for team members who perform well given a high level of independence and autonomy.

This Position

We’re looking for Offensive Security Engineers to join our Vulnerability Research & Red Team.This team helps HashiCorp through vulnerability discovery, disclosure and mitigation in our products, services, infrastructure, and ecosystem. This person will be responsible for performing attack simulations, adversarial threat modeling, penetration tests, and security reviews for HashiCorp products and services. You will be responsible for discovering vulnerabilities at HashiCorp, its products and services and conduct threat modeling exercises on people, processes, and technologies that build up our products and services. You will also design red team exercises in collaboration with other security teams to help improve our security incident response and overall security program.

As a member of our Red Team, you’ll be responsible for ensuring that HashiCorp’s products, services, and processes are continuously tested and resilient against an attack from threat actors. You’ll be working with the team to focus on the systems, services, and processes that protect HashiCorp’s most valuable resources, and communicate with internal and external stakeholders as needed.

In this role, your responsibilities will include:
Partner with Engineering, Product, IT, and other Security functions to drive security improvement across the organization

Provide an adversarial perspective that productively challenges assumptions and decisions to improve security

Collaboratively define threat models, scope, and prioritize offensive security engagements. Integrate offensive security into security development lifecycle

Research emerging attack vectors and techniques, including targeting user endpoints, cloud platforms & systems, development infrastructure, system integrations, and everything in between.

Design and plan offensive exercises based on research into threat actors most relevant to HashiCorp’s business operations

Conduct attacks and emulate attack campaigns to mimic adversarial tactics, techniques and procedures.

Build, modify, and implement tooling and automation to improve the offensive capabilities of the team to meet our evolving objectives and mitigate security threats

Perform ongoing, proactive analysis of HashiCorp’s internal and external attack surface

Participate in blue / purple-team exercises to improve efficacy of internal security programs

Develop training programs on security-related topics such as threat modeling, user awareness, attack techniques, and mitigation strategies

Apply and improve automated vulnerability discovery infrastructure in collaboration with Product Security, Detection & Response, and IT teams

Advise CSO & other leadership during the development of strategic plans and long-term roadmaps

Document and effectively contextualize issues with respect to business impact

Devise pragmatic methods of mitigating security risks

Coordinate, collaborate, and communicate within the Red Team and with stakeholders in Security, Engineering, and other departments

You may be a good fit for our team if you have experience in some of these areas:

You have 2+ years of work experience performing vulnerability research, penetration testing, reverse engineering, application and infrastructure security assessment, and adversary emulation exercises.

Experience in tailored reconnaissance, weaponization, exploitation, and lateral movement

Experience with offensive attack infrastructure development, deployment, and management

Demonstrated experience developing and deploying custom tailored offensive capabilities

Knowledge of application, service, API, and endpoint attack techniques

Experience reviewing source code for control flow and security flaws

Familiarity with attacking and defending cloud services running in modern cloud environments

Previous experience working in collaborative Red Teams

Published Security advisories, vulnerability research and bug bounties

Speaking / publishing at security conferences

Programming experience in Python and/or Go to build security tools

Publicly released tools or modules

HashiCorp embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. We believe the more inclusive we are, the better our company will be.

#LI-RR1

#LI-Remote

HashiCorp embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. We believe the more inclusive we are, the better our company will be.

For more information regarding how HashiCorp collects, uses, and manages personal information, please review our Privacy Policy.