Senior Attack Engineer - Vulnerability Research
Ready to weaponize your vulnerability research skills and impact the future of autonomous penetration testing? Join Horizon3.ai, a rapidly growing, fully remote cybersecurity company, and be a key player in our mission to help organizations proactively identify and remediate exploitable attack vectors before they're compromised.
We're not your typical cybersecurity company. We're a diverse team comprised of former U.S. Special Operations cyber operators, startup veterans, and experienced cybersecurity practitioners who are passionate about solving real-world security problems. We're tackling alert fatigue, blind spots, and the skills gap head-on with our flagship product, NodeZero™ – a platform that delivers production-safe autonomous pentests and assessments across diverse environments.
What You'll Do:
As a Senior Attack Engineer, you'll be at the forefront of vulnerability research and exploit development, directly contributing to the core of our NodeZero platform. You'll be responsible for:
Acquiring and configuring vulnerable test systems to replicate and validate attack scenarios.
Reverse engineering application binaries and patches (Java, C#, .NET, native applications) to identify vulnerabilities using tools like IDA or Ghidra.
Developing and validating proof-of-concept exploits for identified vulnerabilities and integrating them into NodeZero.
Designing and implementing foundational technology improvements to accelerate the development of exploitation modules.
Collaborating closely with engineering teams to enhance product capabilities and develop innovative features.
Maintaining a comprehensive understanding of emerging vulnerabilities, ensuring Horizon3 remains at the cutting edge of the threat landscape.
This role offers a dynamic environment where you'll have the opportunity to work on a wide range of tasks, from building POC exploits to advancing our red teaming technologies. You'll be directly contributing to the enhancement of NodeZero's capabilities and ensuring its effectiveness in real-world scenarios.
What You'll Bring:
Problem-Solving Prowess: Exceptional analytical skills and a knack for tackling complex technical challenges.
Self-Driven: Ability to thrive in an independent environment with minimal supervision, showcasing initiative and a strong drive.
Team Player: Collaborative spirit to work effectively with the NodeZero team, N-Day researchers, and other teams to integrate exploits and develop cross-functional features.
Communication Skills: Excellent technical writing and documentation skills, capable of conveying findings to both technical and non-technical audiences.
Technical Design Expertise: Proficiency in designing, presenting, and evaluating technical solutions, ensuring high-quality and secure software development practices.
Adaptability: A passion for continuous learning and the ability to quickly adapt to new technologies, tools, and methodologies.
Required Experience/Education:
Python Expertise: Strong proficiency in large-scale Python software development.
Software Engineering Foundation: Solid understanding of secure software development practices, including Git and effective team workflows.
Reverse Engineering Experience: Proven experience reversing Java applications, C#, .NET, and native application binaries using tools like IDA or Ghidra.
Vulnerability Exploitation Mastery: In-depth knowledge of common Remote Code Execution (RCE) techniques, such as SQL injection, path traversal, and buffer overflow exploits.
Network Protocol Fluency: Deep understanding of network protocols and their role in exploitation vectors.
Database Familiarity: Experience with relational (Postgres) or graph (Neo4j) database systems.
Equivalent experience may be considered with demonstrable proof-of-concept write-ups, published vulnerability research, or similar achievements.
Desired Skills:
Bachelor's Degree in Computer Science, Computer Engineering, or a related field.
Experience with vulnerability disclosure processes.
Published CVEs or experience with bug bounty and web app pentesting.
Experience with additional programming languages, including C, C++, Rust, or Assembly.
Familiarity with Nuclei and Metasploit for automated vulnerability scanning and exploitation.
Experience working in AWS and other cloud environments.
Previous experience working on large-scale software projects.
Knowledge of and experience with Docker, Kubernetes, and related containerization technologies.
Certifications (Optional but Preferred):
OSCP (Offensive Security Certified Professional) or equivalent certifications.
Travel:
We are a fully remote company. This job may require up to 5% travel.
Compensation and Values:
We value our employees and offer a competitive compensation package. The salary range for this position is $195,000 - $242,000 annually, based on location, qualifications, experience, and skills. In addition to base salary, all full-time roles are eligible for an equity package in the form of stock options.
Perks of Joining Horizon3.ai:
Inclusive Team: A diverse and inclusive culture where everyone can thrive.
Growth Opportunities: Be part of a dynamic and rapidly growing team with ample career development opportunities.
Innovative Culture: A collaborative environment that encourages creativity and out-of-the-box thinking.
Remote Work: 100% remote company. Work from anywhere and enjoy a flexible work environment.
Competitive Compensation & Benefits: Competitive salary, equity, and benefits including health, vision & dental insurance, flexible vacation, and generous parental leave.
You Belong Here:
Horizon3.ai is an equal opportunity employer and values diversity, equity, and inclusion. We are committed to creating a welcoming and supportive environment for all employees. We encourage applications from all qualified individuals.
Join us and be a part of a team that is revolutionizing the cybersecurity landscape!
Please note: This job description is not a comprehensive list of all activities, duties, or responsibilities required of the employee. Duties, responsibilities, and activities may change at any time with or without notice.
Application Note: You may redact or remove age-identifying information from your application materials.