Product Security Engineer
About the Role:
We’re a growing SaaS startup building our security team from the ground up. We’re looking for a hands-on Product Security Engineer who enjoys breaking things (responsibly) and helping teams fix them fast.
This role is very practical and impact-driven. You’ll be embedded close to the product and engineering teams, proactively attacking our own systems before anyone else does. If you like moving fast, owning problems end-to-end, and thinking like a real attacker, this role is for you.
What You'll Do:
Actively test our SaaS product for security vulnerabilities across web apps, APIs, and cloud infrastructure.
Perform manual security testing and targeted penetration tests (beyond automated scanners).
Implement and help implement automated security test suites.
Identify abuse cases, business logic flaws, and real-world attack paths.
Work directly with engineers to reproduce issues and drive fixes.
Help introduce lightweight security practices into the development process (threat modeling, secure design reviews).
Validate fixes and ensure issues are fully resolved.
Stay current on new vulnerabilities, attack techniques, and SaaS-relevant threats.
What You'll Bring:
3–6 years of experience in application security, offensive security, or penetration testing.
Strong understanding of web and API security (OWASP Top 10, auth, sessions, access control).
Experience testing modern SaaS products.
Comfort working in cloud environments (AWS / GCP / Azure at a practical level).
Experience with common security testing tools (Burp Suite, Nuclei, etc.).
Ability to communicate findings clearly and pragmatically to engineers.
Self-starter mindset — comfortable operating with limited process and high ownership.
Preferred, but not required:
Startup experience or early-stage product exposure.
Bug bounty or responsible disclosure experience.
Secure code review experience (any major language).
Familiarity with CI/CD and modern SDLC security.
Offensive security certifications (OSCP, GWAPT, etc.).
About the job
Apply for this position
Product Security Engineer
About the Role:
We’re a growing SaaS startup building our security team from the ground up. We’re looking for a hands-on Product Security Engineer who enjoys breaking things (responsibly) and helping teams fix them fast.
This role is very practical and impact-driven. You’ll be embedded close to the product and engineering teams, proactively attacking our own systems before anyone else does. If you like moving fast, owning problems end-to-end, and thinking like a real attacker, this role is for you.
What You'll Do:
Actively test our SaaS product for security vulnerabilities across web apps, APIs, and cloud infrastructure.
Perform manual security testing and targeted penetration tests (beyond automated scanners).
Implement and help implement automated security test suites.
Identify abuse cases, business logic flaws, and real-world attack paths.
Work directly with engineers to reproduce issues and drive fixes.
Help introduce lightweight security practices into the development process (threat modeling, secure design reviews).
Validate fixes and ensure issues are fully resolved.
Stay current on new vulnerabilities, attack techniques, and SaaS-relevant threats.
What You'll Bring:
3–6 years of experience in application security, offensive security, or penetration testing.
Strong understanding of web and API security (OWASP Top 10, auth, sessions, access control).
Experience testing modern SaaS products.
Comfort working in cloud environments (AWS / GCP / Azure at a practical level).
Experience with common security testing tools (Burp Suite, Nuclei, etc.).
Ability to communicate findings clearly and pragmatically to engineers.
Self-starter mindset — comfortable operating with limited process and high ownership.
Preferred, but not required:
Startup experience or early-stage product exposure.
Bug bounty or responsible disclosure experience.
Secure code review experience (any major language).
Familiarity with CI/CD and modern SDLC security.
Offensive security certifications (OSCP, GWAPT, etc.).