Senior Penetration Tester

Our mission is to democratize finance for all. An estimated $124 trillion of assets will be inherited by younger generations in the next two decades. The largest transfer of wealth in human history. If you’re ready to be at the epicenter of this historic cultural and financial shift, keep reading.

Our group is building an elite team, applying frontier technologies to the world’s biggest financial problems. We’re looking for bold thinkers & sharp problem-solvers. Individuals who are wired to make an impact. Robinhood is where ambitious people do the best work of their careers. We’re a high-performing, fast-moving team with ethics at the center of everything we do. Expectations are high, and so are the rewards.

The Penetration Testing team at Robinhood is a core part of our Offensive Security program and a key pillar within Security & Privacy Engineering. We work across the company to identify, understand, and reduce security risk through threat modeling, penetration testing, code reviews, and vulnerability research. Our team goes beyond simply finding issues—we take pride in fixing what we find, contributing to long-term improvements, and proactively helping teams build safer systems from the start.

As a Senior Penetration Tester, you'll be a hands-on contributor to our internal application security testing program. You'll perform proactive security assessments, research emerging threats, scale the team via AI and automation, and work directly with engineers to design and implement fixes. This is a highly collaborative role that combines technical depth, creativity, and clear communication to protect our customers and our platform.

This role is based in our Bellevue, WA office, with in-person attendance expected at least 3 days per week.

At Robinhood, we believe in the power of in-person work to accelerate progress, spark innovation, and strengthen community. Our office experience is intentional, energizing, and designed to fully support high-performing teams.

• →Perform application security assessments, including code reviews (primarily Go and Python), design reviews, and manual penetration testing of web applications, services, and infrastructure.
• →Build and operate AI-assisted tools (e.g. LLM-based code review, AI-driven fuzzing, agentic recon pipelines) to increase testing throughput and coverage.
• →Conduct threat modeling for high-impact systems and articulate security risk in terms of business logic, fraud potential, and customer impact.
• →Collaborate on the triage of bug bounty submissions.
• →Validate critical vulnerabilities surfaced by automated tools and improve detection coverage through scripting and configuration.
• →Work cross-functionally with engineers to mitigate issues, often contributing detection strategies, and occasionally direct code fixes (via pull requests).
• →Research emerging threats, new technologies, and attack techniques to evolve offensive and defensive capabilities of AI/ML systems.
• →Publish technical blog posts, speak at industry conferences, or share insights with the wider security community.
• →Advocate for security and privacy across engineering and product development teams.

• 5+ years of experience in penetration testing, application security, or security engineering.
• Proactive communication and engagement with stakeholders.
• Demonstrated impact using AI tools (models, agentic frameworks, et al) as force multipliers in security work.
• Proficiency in auditing and exploiting Go and Python services.
• Strong grasp of application security principles, authentication and authorization models, and common vulnerability patterns.
• Experience with vulnerability research, business logic flaws, and application-layer misuse patterns.
• Experience targeting AI/ML systems: prompt injection, tool/agent misuse, context and model exfiltration, and the broader stack (RAG pipelines, MCP servers, agentic frameworks).
• Working knowledge of cryptocurrency and blockchain security: custody and signing flows, wallet and key-management design, on-chain integrations, and misuse patterns specific to digital-asset movement (transfer validation, replay, signature handling, bridge/staking integrations).
• Familiarity with Linux systems, intrusion detection, and common log formats.
• Hands-on experience testing cloud environments (AWS, GCP, or similar) and container orchestration platforms (Docker, Kubernetes).
• Knowledge of network protocols (TCP/IP, DNS) and secure architecture best practices.
• Ability to work independently, structure and execute testing plans, and clearly communicate risk to technical and non-technical stakeholders.
• Comfort collaborating and documenting work asynchronously using tools like Slack, GitHub, and JIRA.

This position is restricted to US citizens or lawful permanent residents due to legal requirements.

• Experience in the financial technology (fintech) industry or highly regulated environments.
• Passion for improving security through fixing—not just finding—vulnerabilities.
• Demonstrated history of challenging security assumptions and creatively solving complex problems.