Senior Security Engineer (Pen Tester)
Menlo Security's mission is enabling the world to connect, communicate and collaborate securely without compromise. COVID-19 has made our mission all the more real. We support customers across various enterprises including Fortune 500 companies, 9/10 of the largest global banks and the Department of Defense.
The world has fundamentally changed. We are growing from 400 employees into the next phase of our journey, and we need passionate talent filled with empathy and agility. The right candidate for the job is ethical, hyper-organized, fanatical about seeing things through to completion, service-oriented, and humble enough to take feedback and coaching yet confident enough to provide feedback and coaching.
Menlo is well-funded for growth and our investors are second to none. They include Vista Equity Partners (“Vista”), General Catalyst, JPMC, American Express, HSBC, and Ericsson Ventures.
Role Overview
We are seeking a forward-thinking Security Engineer to join our team, focusing on offensive and defensive security, the penetration testing of product features, and the cloud architecture supporting the product. In this role, you will operate across a complex, multi-cloud environment (AWS & GCP) comprising both traditional VMs and modern managed and unmanaged container-based architectures.
In this focused role, you will partner with other security (Penetration Tester and Cloud Security) engineers to execute targeted assessments during specific windows of the product testing phase immediately prior to release. Success requires you to stay synchronized with the product roadmap and develop a deep technical mastery of new features, enabling you to independently configure environments and test thoroughly within tight timelines.
Your responsibilities extend beyond the application layer to the Control Plane, where you will conduct rigorous infrastructure reviews to ensure that cloud configurations, IAM policies, and orchestration layers meet our security baselines. Your operational cadence is built on speed: you must identify, validate, and report vulnerabilities quickly to maintain release velocity. Additionally, you will serve as the frontline for external defenses, monitoring bug bounty pipelines and external reports to triage and respond to findings with professional precision.
Key Responsibilities
Collaborative Penetration Testing (AWS & GCP): Work in tandem with a peer pentester to conduct deep-dive penetration tests of our products across our multi-cloud environment.
Control Plane: Review IAM policies, service configurations, and cloud-native permission structures.
Data Plane & Web UI: Execute dynamic testing against web interfaces and API endpoints.
Infrastructure Review: Assess the security posture of a hybrid infrastructure that mixes containers and Virtual Machines (VMs) infrastructures.
Vulnerability Reporting & Advisory: Triaging findings and creating clear, reproducible proofs-of-concept (PoCs). Collaborating with Product Teams to explain the risk. You may not be responsible for writing the fix or remediating the issue; your role is to ensure the product team understands what to fix.
AI-Augmented Security Assessments: Actively utilize AI and Large Language Models (LLMs) to automate reconnaissance, generate attack vectors, analyze configurations, and draft vulnerability reports. Fluency in prompt engineering for security contexts is essential.
Pipeline Management: Monitor bug bounty pipelines and external reports, validating findings and managing researcher communication
Required Skills & Qualifications
Multi-Cloud Fluency: Demonstrate a deep architectural understanding of GCP and AWS . You should be capable of pivoting seamlessly between providers, performing manual configuration reviews of complex IAM/Resource hierarchies, and leveraging native APIs or modern CSPM frameworks to validate security controls.
Container Security: Proven experience auditing and hardening managed container services (GKE Autopilot/Standard, EKS, ECS) and self-hosted/unmanaged workloads (K8s, k3s, OCI-runc). Experience with Gatekeeper policies, and Binary Authorization would be considered an asset.
AI Tooling: Demonstrated ability to integrate AI/LLM tools (e.g., Gemini, Claude) into the pentesting lifecycle to increase speed and coverage.
Web Application Security: Expert-level knowledge of web application security principles and offensive testing methodologies, with deep proficiency in OWASP Top 10 vulnerabilities, modern web framework exploitation, and API security (REST, WebSockets). Extensive hands-on experience conducting manual security assessments using Burp Suite Professional, OWASP ZAP, or similar tooling. Strong understanding of browser security mechanisms (CSP, CORS, SameSite cookies, Subresource Integrity), secure authentication/authorization patterns (OAuth 2.0, OIDC, JWT), and security header configurations (HSTS, X-Frame-Options, Permissions-Policy). Proven ability to identify complex security flaws beyond automated scanner detection, validate findings through proof-of-concept development, and provide actionable remediation guidance to engineering teams.
Security Automation: Proficiency in Python, Go, or Bash to eliminate 'toil.' You are expected to write custom scripts and tooling to automate vulnerability discovery, validate security controls, and streamline your own testing workflows.
Infrastructure as Code: Solid grasp of Terraform and cloud-native deployment patterns. You can interpret and audit complex HCL files to identify misconfigurations before they are provisioned.
Communication: Ability to write high-quality technical reports that Product Teams can easily understand and act upon.
Our Compensation and Benefits
At Menlo Security, Base Salary is one part of our competitive total compensation and benefits package and is determined using a salary range. The base salary range for this role is 120,000 CAD - 210,000 CAD.
In accordance with Canadian law, the range provided is Menlo Security’s reasonable estimate of the base compensation for this role. The actual amount may be higher or lower, based on non-discriminatory factors such as experience, knowledge, skills, abilities, and location. All employees may be eligible to become Menlo Security shareholders through eligibility for stock-based compensation grants, which are awarded to employees based on company and individual performance.
Menlo Security does not accept unsolicited resumes from search firm recruiters. Fees will not be paid in the event a candidate submitted by a recruiter without an agreement in place is hired; such resumes will be deemed the sole property of Menlo Security.
Menlo Security is an equal opportunity employer. All aspects of employment will be based on merit, competence, performance, and business needs. We do not discriminate on the basis of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, veteran status, or any other status protected under federal, state, or local law.
MSGL-I4
Why Menlo?
Our culture is collaborative, inclusive, and fun! We have five core values: Stay Aligned, Get It Done, Customer Empathy, Think Creatively and Help Each Other Out. We believe in open communication, supporting new ideas, and sharing a mutual mindset of what we’re aiming to achieve together. There are tremendous opportunities to take initiative, implement new ideas, and have a hand in building a legacy.
All qualified applicants will receive consideration for employment without regard to race, sex, color, religion, sexual orientation, gender identity, national origin, protected veteran status, or on the basis of disability.
TO ALL AGENCIES: Please, no phone calls or emails to any employee of Menlo Security outside of the Talent organization. Menlo Security’s policy is to only accept resumes from agencies via Ashby (ATS). Agencies must have a valid services agreement executed and must have been assigned by the Talent team to a specific requisition. Any resume submitted outside of this process will be deemed the sole property of Menlo Security. In the event a candidate submitted outside of this policy is hired, no fee or payment will be paid.
About the job
Apply for this position
Senior Security Engineer (Pen Tester)
Menlo Security's mission is enabling the world to connect, communicate and collaborate securely without compromise. COVID-19 has made our mission all the more real. We support customers across various enterprises including Fortune 500 companies, 9/10 of the largest global banks and the Department of Defense.
The world has fundamentally changed. We are growing from 400 employees into the next phase of our journey, and we need passionate talent filled with empathy and agility. The right candidate for the job is ethical, hyper-organized, fanatical about seeing things through to completion, service-oriented, and humble enough to take feedback and coaching yet confident enough to provide feedback and coaching.
Menlo is well-funded for growth and our investors are second to none. They include Vista Equity Partners (“Vista”), General Catalyst, JPMC, American Express, HSBC, and Ericsson Ventures.
Role Overview
We are seeking a forward-thinking Security Engineer to join our team, focusing on offensive and defensive security, the penetration testing of product features, and the cloud architecture supporting the product. In this role, you will operate across a complex, multi-cloud environment (AWS & GCP) comprising both traditional VMs and modern managed and unmanaged container-based architectures.
In this focused role, you will partner with other security (Penetration Tester and Cloud Security) engineers to execute targeted assessments during specific windows of the product testing phase immediately prior to release. Success requires you to stay synchronized with the product roadmap and develop a deep technical mastery of new features, enabling you to independently configure environments and test thoroughly within tight timelines.
Your responsibilities extend beyond the application layer to the Control Plane, where you will conduct rigorous infrastructure reviews to ensure that cloud configurations, IAM policies, and orchestration layers meet our security baselines. Your operational cadence is built on speed: you must identify, validate, and report vulnerabilities quickly to maintain release velocity. Additionally, you will serve as the frontline for external defenses, monitoring bug bounty pipelines and external reports to triage and respond to findings with professional precision.
Key Responsibilities
Collaborative Penetration Testing (AWS & GCP): Work in tandem with a peer pentester to conduct deep-dive penetration tests of our products across our multi-cloud environment.
Control Plane: Review IAM policies, service configurations, and cloud-native permission structures.
Data Plane & Web UI: Execute dynamic testing against web interfaces and API endpoints.
Infrastructure Review: Assess the security posture of a hybrid infrastructure that mixes containers and Virtual Machines (VMs) infrastructures.
Vulnerability Reporting & Advisory: Triaging findings and creating clear, reproducible proofs-of-concept (PoCs). Collaborating with Product Teams to explain the risk. You may not be responsible for writing the fix or remediating the issue; your role is to ensure the product team understands what to fix.
AI-Augmented Security Assessments: Actively utilize AI and Large Language Models (LLMs) to automate reconnaissance, generate attack vectors, analyze configurations, and draft vulnerability reports. Fluency in prompt engineering for security contexts is essential.
Pipeline Management: Monitor bug bounty pipelines and external reports, validating findings and managing researcher communication
Required Skills & Qualifications
Multi-Cloud Fluency: Demonstrate a deep architectural understanding of GCP and AWS . You should be capable of pivoting seamlessly between providers, performing manual configuration reviews of complex IAM/Resource hierarchies, and leveraging native APIs or modern CSPM frameworks to validate security controls.
Container Security: Proven experience auditing and hardening managed container services (GKE Autopilot/Standard, EKS, ECS) and self-hosted/unmanaged workloads (K8s, k3s, OCI-runc). Experience with Gatekeeper policies, and Binary Authorization would be considered an asset.
AI Tooling: Demonstrated ability to integrate AI/LLM tools (e.g., Gemini, Claude) into the pentesting lifecycle to increase speed and coverage.
Web Application Security: Expert-level knowledge of web application security principles and offensive testing methodologies, with deep proficiency in OWASP Top 10 vulnerabilities, modern web framework exploitation, and API security (REST, WebSockets). Extensive hands-on experience conducting manual security assessments using Burp Suite Professional, OWASP ZAP, or similar tooling. Strong understanding of browser security mechanisms (CSP, CORS, SameSite cookies, Subresource Integrity), secure authentication/authorization patterns (OAuth 2.0, OIDC, JWT), and security header configurations (HSTS, X-Frame-Options, Permissions-Policy). Proven ability to identify complex security flaws beyond automated scanner detection, validate findings through proof-of-concept development, and provide actionable remediation guidance to engineering teams.
Security Automation: Proficiency in Python, Go, or Bash to eliminate 'toil.' You are expected to write custom scripts and tooling to automate vulnerability discovery, validate security controls, and streamline your own testing workflows.
Infrastructure as Code: Solid grasp of Terraform and cloud-native deployment patterns. You can interpret and audit complex HCL files to identify misconfigurations before they are provisioned.
Communication: Ability to write high-quality technical reports that Product Teams can easily understand and act upon.
Our Compensation and Benefits
At Menlo Security, Base Salary is one part of our competitive total compensation and benefits package and is determined using a salary range. The base salary range for this role is 120,000 CAD - 210,000 CAD.
In accordance with Canadian law, the range provided is Menlo Security’s reasonable estimate of the base compensation for this role. The actual amount may be higher or lower, based on non-discriminatory factors such as experience, knowledge, skills, abilities, and location. All employees may be eligible to become Menlo Security shareholders through eligibility for stock-based compensation grants, which are awarded to employees based on company and individual performance.
Menlo Security does not accept unsolicited resumes from search firm recruiters. Fees will not be paid in the event a candidate submitted by a recruiter without an agreement in place is hired; such resumes will be deemed the sole property of Menlo Security.
Menlo Security is an equal opportunity employer. All aspects of employment will be based on merit, competence, performance, and business needs. We do not discriminate on the basis of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, veteran status, or any other status protected under federal, state, or local law.
MSGL-I4
Why Menlo?
Our culture is collaborative, inclusive, and fun! We have five core values: Stay Aligned, Get It Done, Customer Empathy, Think Creatively and Help Each Other Out. We believe in open communication, supporting new ideas, and sharing a mutual mindset of what we’re aiming to achieve together. There are tremendous opportunities to take initiative, implement new ideas, and have a hand in building a legacy.
All qualified applicants will receive consideration for employment without regard to race, sex, color, religion, sexual orientation, gender identity, national origin, protected veteran status, or on the basis of disability.
TO ALL AGENCIES: Please, no phone calls or emails to any employee of Menlo Security outside of the Talent organization. Menlo Security’s policy is to only accept resumes from agencies via Ashby (ATS). Agencies must have a valid services agreement executed and must have been assigned by the Talent team to a specific requisition. Any resume submitted outside of this process will be deemed the sole property of Menlo Security. In the event a candidate submitted outside of this policy is hired, no fee or payment will be paid.