Senior Offensive Security Engineer II, Infrastructure Security

The HubSpot Threats and Vulnerabilities team is charged with protecting our customers by systematically reducing HubSpot’s attack surface and improving the maturity of HubSpot’s Product Security. We create this path forward by mapping out HubSpot’s defenses, identifying and prioritizing improvements based on threat intelligence, and testing our applications and infrastructure to find and fix weaknesses. 

The team is composed of highly skilled individuals experienced in the security and development of Cloud services. This team provides support and guidance across both the Product and Security organizations at HubSpot. We are looking for experienced engineers from diverse backgrounds to augment the team’s skill set and offer new perspectives on security and risk and how it relates to HubSpot’s program.

In this role you will:

• Guide development teams in secure development and protective measures to deter abuse or attacks

• Provide security-focused recommendations based on threat intelligence, other real-world security events, and vulnerability assessments

• Build secure application design standards that allow low-friction adoption by product teams

• Lead security-focused architecture reviews and threat modeling in newly built features and existing product microservices infrastructure

• Continuously improve HubSpot's application security program by educating developers, creating secure defaults, and increasing automated testing

• Lead red team exercises to find weaknesses in HubSpot’s services, tools, and infrastructure

• Maintain knowledge of the latest vulnerabilities, exploits, and the evolving threat landscape and distill that knowledge to other groups within HubSpot

• Manage programs for bug bounty and internal and external penetration testing, ensuring vulnerabilities are identified and mitigated

• Act as an escalation point for security incidents that require the specialized knowledge of this team

• Drive projects and improvements that improve HubSpot’s Security and Privacy controls within the Product Organization and beyond

We are looking for people who have:

• 10 years’ experience in application security, software development, or incident response

• Previous involvement in red teaming, adversary emulation, or penetration testing

• Experience with secure development practices, public cloud, and network security

• Familiarity with security monitoring tools and investigation tools such as Splunk and Kibana

• Ability to communicate information about security and risk to a diverse audience

Cash compensation range: 186300-279500 USD Annually This resource will help guide how we recommend thinking about the range you see. Learn more about HubSpot’s compensation philosophy from Katie Burke, HubSpot’s Chief People Officer. The cash compensation above includes base salary, on-target commission for employees in eligible roles, and annual bonus targets under HubSpot’s bonus plan for eligible roles. In addition to cash compensation, all HubSpotters are eligible to participate in HubSpot’s equity plan to receive restricted stock units (RSUs). Some roles may also be eligible for overtime pay. Individual compensation packages are based on a few different factors unique to each candidate, including their skills, experience, qualifications and other job-related reasons. We know that benefits are also an important piece of your total compensation package. To learn more about what’s included in total compensation, check out some of the benefits and perks HubSpot offers to help employees grow better. At HubSpot, fair compensation practices isn’t just about checking off the box for legal compliance. It’s about living out our value of transparency with our employees, candidates, and community.