About Skyflow:
We are Skyflow, a Silicon Valley startup that has built the world's first data privacy vault delivered as an API. Our mission is to transform how businesses handle and protect their users' financial, healthcare, and personal information — the data that powers our digital economy. Inspired by the zero trust data vaults that Apple and Netflix built to handle customer data, we've built a cloud-based vault that is available through a simple and elegant API. With Skyflow, developers can easily build best-of-breed data privacy, security and compliance directly into their applications, the same way they use Stripe, Twilio, or Okta.
Skyflow is based in Palo Alto California, with offices in Bangalore, India, and team members working from locations all around the world. We have former Executives and Leaders from the likes of Salesforce, Google, Twilio, and Oracle. Come join us!
As the Lead Offensive Security Engineer, you will collaborate and lead the area with the responsibility of validating the security posture of Skyflow's Infrastructure, and Application and Security controls. The team enhances existing service offerings & security testing capabilities and conducts hands-on technical testing, focused on identification of complex vulnerabilities in all infrastructure and products. The candidate must also have the ability to communicate well, motivate and lead cross-functionally as well as be an independent individual contributor, and participate in coordinating response and defensive actions over a variety of security disciplines, and finally, disseminate technical information as appropriate in support of Skyflow's critical business, go to market, and operational infrastructure needs.
We know great Offensive Security Engineers come from diverse backgrounds so no single individual may have all the desired skills on day one. But if you are the kind of software engineer who would have loved to engineer security solutions for enterprise platform offerings - we want to talk to you.
Qualifications:
- 7+ years of conducting Offensive Security Testing (i.e. Red Teaming, Purple Teaming, Threat Intelligence, Penetration Testing, and Product Testing)
- 3+ years in leadership role
- Experience designing a program and creating Standard Operating Procedures, Rules of Engagement, Testing Methodologies
- Experience conducting advanced penetration testing exercises (Network, Web Application, Mobile and Cloud)
- Experience reporting findings and developing pragmatic recommendations with the product ecosystem in mind
- Experience emulating advanced adversarial Tactics, Threats, and Procedures (TTPs)
- Experience with offensive tools and platforms such as Kali Linux, Cobalt Strike, Metasploit, Covenant, Sliver, Bloodhound, Ghostpack, Nmap, Nessus, Zmap, Massscan, EyeWitness, Burp Suite
- Experience with infrastructure automation, server administration, TCP/IP networking, vulnerability identification and exploitation, vulnerability exploit code development, offensive security operation coordination and communication, vulnerability tracking and remediation, cross functional collaborations
- Effective communicator with experience working in a fast-paced dynamic environment, where prioritization is key to success
- Any of the following industry certifications are nice to have: OSCP, CRTO, OSEP, OSED, OSMR, OSEE, OSWE, OSWP, GPEN, GCIH, GWAPT, GDAT or GXPN
Responsibilities:
- Systematically analyze each component of an application with the intent of locating programming flaws that could be leveraged to compromise the software through source code review or reverse engineering
- Leverage war gaming to simulate security incidents, observe response across monitoring and incidents, and identify enhancement opportunities
- Develop after action reports to help justify this investment and use the results to hone strategies for the overall organization
- Make contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, blogs, publications, speaking at conferences, etc.
- Execute Red Team engagements in a variety of networks using real-world adversarial Tactics, Techniques, and Procedures (TTPs) from conception to report delivery
- Conduct open-source intelligence gathering, network vulnerability scanning, exploitation of vulnerable services, lateral movement, install persistence in a target network(s), and manage C2 infrastructure
- Develop payloads, scripts and tools that weaponize new proof-of-concepts for exploitation, evasion, and lateral movement
- Document identified vulnerabilities and research corrective/remediation actions in order to recommend a risk mitigation technique(s)
- Maintain knowledge of applicable Red Team policies, Standing Ground Rules, regulations, and compliance documents
- Communicate effectively with team members and during an engagement
- Keep current with TTPs and the latest offensive security techniques
Benefits:
- Work from home expense (U.S., Canada, and Australia)
- Excellent Health, Dental, and Vision Insurance Options (Varies by Country)
- Vanguard 401k
- Very generous PTO
- Flexible Hours
- Generous Equity
At Skyflow, we believe that diverse teams are the strongest teams. We invite applicants of all genders, races, ethnicities, nationalities, ages, religions, sexual orientations, disability statuses, educational experiences, family situations, and socio-economic backgrounds.
Pay:
A base salary range of $150,000 - $240,000 can be expected for this role in the San Francisco/Bay Area. You could also be entitled to receive an additional incentive bonus or variable pay, equity, and benefits.
Skyflow operates from a place of high trust and transparency; we are happy to disclose the pay range for our open roles that best align with your needs. Exact compensation may vary based on skills, experience, education, and location.