WebApp Offensive Security Engineer

Horizon3.ai is a fast-growing, remote cybersecurity company dedicated to the mission of enabling organizations to proactively find and fix and verify exploitable attack vectors before criminals exploit them. Our flagship product, the NodeZeroTM platform, delivers production-safe autonomous pentests and other key assessment operations that scale across the largest internal, external, cloud, and hybrid cloud environments. NodeZero has been adopted by organizations of all sizes, from small educational institutions to government agencies and Global 100 enterprises. It is used by ITOps/SecOps teams, consulting pentesters, and MSSPs and MSPs. 

We are a fusion of former U.S. Special Operations cyber operators, startup engineers, and formerly frustrated cybersecurity practitioners. We're committed to helping solve our common security problems: ineffective security tools, false positives resulting in alert fatigue, blind spots, "checkbox” security culture, cybersecurity skills shortage, and the long lead time and expense of hiring outside consultants. Collectively, we are a team of learn it alls, committed to a culture of respect, collaboration, ownership, and results.

We're looking for a Webapp Offensive Security Engineer with deep, hands-on web application penetration testing experience to push our autonomous testing beyond what it can do today. You'll be testing real customer web applications — not just labs and benchmarks — using NodeZero as your starting point and then going further as the human expert: hunting the edge cases, novel attack chains, and business-logic flaws that automated testing doesn't yet handle, proving them out safely against live targets, and working shoulder-to-shoulder with our software engineers to turn each discovery into durable product coverage that benefits every customer.

This is a pentesting-first role. You won't be expected to architect platform internals or ship production features yourself — you'll be the offensive expert who tests live customer applications, finds the gaps NodeZero doesn't yet cover, demonstrates them, defines what "good" looks like, and partners with engineering to close them. If you love breaking real web apps by hand, get satisfaction from finding what scanners miss, and want your tradecraft to scale to thousands of customers through the product, this role is for you.

• Perform hands-on, full-scope web application penetration tests against real customer applications, alongside benchmark and lab targets, to surface vulnerabilities and attack paths.

• Review NodeZero results on live customer engagements to identify coverage gaps, blind spots, and missed opportunities — the edge cases and corner-case attack scenarios that autonomous testing doesn't yet handle.

• Manually reproduce and validate those edge cases, building reliable, production-safe proof-of-concept exploits and clear test cases that demonstrate the gap end to end — including against live customer environments without disrupting them.

• Partner closely with software engineers to translate your findings into product improvements — defining detection logic, attack content, expected behavior, and remediation so NodeZero handles those cases going forward.

• Build and maintain a library of regression and benchmark test cases so newly added coverage doesn't silently regress over time.

• Monitor production pentests for missed findings and false positives; create and triage Jira tickets to drive issues to resolution.

• Work directly with customers and internal teams to investigate findings, explain attack paths, and address questions about web application coverage and results.

• Author technical blog posts and research write-ups showcasing new exploits, edge cases, and attack methodologies.

• Mentor teammates and contribute to continuous improvement of team processes, methodology, and testing standards.

• Extensive hands-on experience conducting full-scope web application penetration tests.

• Deep, practical knowledge of common and not-so-common web vulnerability classes — SQL injection, XSS (reflected, stored, and DOM-based), SSRF, SSTI/CSTI, IDOR/BOLA, authentication and authorization bypass, path traversal, LFI, and similar — including how to chain them to demonstrate impact.

• A talent for finding and exploiting business-logic and edge-case flaws that automated scanners routinely miss.

• Strong command of proxy tools like Burp Suite and browser developer tools.

• Comfort scripting to reproduce findings and build proof-of-concept exploits (e.g., Python or similar) — you don't need to be a professional software engineer, but you should be able to write and read code well enough to demonstrate an exploit and collaborate effectively with engineers.

• Ability to clearly communicate attack steps, impact, and remediation guidance to both engineers and non-technical stakeholders.

• Curiosity about emerging AI technologies and comfort using AI-assisted tools in your testing and research workflow.

• Strong written and verbal communication, including technical documentation.

• Ability to manage multiple priorities, work independently, and mentor teammates of varying experience levels.

• Quick to learn and adopt new technologies, frameworks, and target stacks as needed.

• History of recognized security research, including documented CVE discoveries and responsible disclosure.

• Track record of successful bug bounty contributions.

Horizon3 is not just an equal opportunity employer - we are a community that values diversity, equity, and inclusion as fundamental principles of our culture and success. We are dedicated to fostering a workplace where everyone feels welcome and respected, regardless of race, color, religion, sex, national origin, age, disability, veteran status, sexual orientation, gender identity or expression, genetic information, marital status, or any other legally protected status by law.

Our commitment to diversity and inclusion means we strive to attract, develop, and retain a workforce that reflects the varied communities we serve. We believe that diverse perspectives drive innovation and strengthen our ability to create cutting-edge cybersecurity solutions. At Horizon3, every team member is valued and supported in an environment that encourages personal and professional growth.

We welcome candidates from all backgrounds and experiences, and we encourage all qualified individuals to apply. Come be a part of Horizon3, where your unique contributions are recognized, and your potential is limitless.

• Familiarity with how autonomous, agentic, or AI-driven pentesting tools work — and a sharp instinct for where and why they fail.

• Experience writing detection or attack content (e.g., Nuclei templates, sqlmap tamper scripts, custom Burp extensions).

• Enough software development background to collaborate fluently with engineers on remediation and product coverage.

• Familiarity with relational and graph databases, particularly Postgres and Neo4j.

• Experience with AI/LLM tools for building agentic workflows (e.g., LangChain, LangFlow) and integrating contextual data using protocols like Model Context Protocol (MCP).

• Outstanding problem-solving aptitude and a relentless curiosity for how things break.

• Self-motivated and highly energetic, with the ability to operate effectively with limited supervision and guidance.

• Work with our engineers and security researchers to turn manual discoveries into reliable, production-safe product capabilities.

• Strong technical documentation and communication skills.

• Document findings, methodologies, and recommendations for both technical and non-technical stakeholders.

• A portfolio of novel web application research, exploits, or edge-case findings you can walk us through.

• Demonstrated examples of using AI to enhance or accelerate your testing and exploit development.

• OSCP, OSWE, or comparable offensive security certifications.

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee. Duties, responsibilities, and activities may change at any time with or without notice.