Location: Remote position. Occasional travel to our office in Golden, Colorado is required. About Pentera Pentera is the global leader in Automated Security Validation, helping organizations worldwide safely emulate real-world attacker behavior and uncover their true security gaps across on-prem, cloud, and hybrid environments. With more than 1,200 customers in over 50 countries and a rapidly growing global team, Pentera is shaping how modern enterprises continuously validate their security posture. About the Role We are looking for a Cyber Researcher to join our R&D team and play a key role in shaping how automated security validation evolves. In this role, you will conduct deep, hands-on technical research into attacker techniques and system behaviors across operating systems, identity systems, cloud platforms, and enterprise environments. Your work will be translated into production-grade, automated attack emulations that dynamically adapt and make decisions, closely mirroring how skilled attackers operate in the real world. This is a highly technical role that combines research, development, and applied AI, with direct impact on a real-world security product. Responsibilities - Conduct in-depth research into attacker techniques across Windows, Linux, identity systems, cloud environments, and external attack surfaces - Design and develop advanced attack simulation techniques that challenge modern security controls and defensive architectures - Translate research findings into scalable, production-ready capabilities within Pentera’s automated validation platform - Architect and implement decision-making logic that enables dynamic attack paths and adaptive behavior during automated operations - Develop high-quality code that powers complex attack simulations, using appropriate languages and technologies for each use case - Collaborate closely with R&D, engineering, and product teams to integrate new research into the platform - Mentor team members and contribute to a culture of technical excellence, curiosity, and continuous learning Requirements - 5+ years of hands-on experience in security research, penetration testing, or adversarial security engineering - Strong knowledge of Windows internals, operating systems, networking, and enterprise environments - 3+ years of experience developing in Python - Proven ability to write efficient, stealth-aware, and production-quality security-related code - Experience with security research tools and frameworks such as Metasploit, Impacket, Nmap, Burp, or similar - Proficiency in reverse engineering and debugging using tools such as IDA, Ghidra, WinDBG, or Radare2 - Experience working with cloud platforms such as AWS and Azure - Ability to apply AI or machine learning concepts to decision-making, automation, or behavior modeling within complex systems - Strong collaboration skills, adaptability, and a fast learning mindset Preferred Qualifications - Experience modeling attacker decision-making, attack paths, or adversarial behaviors - Familiarity with graph-based analysis, pathfinding, or automated reasoning systems - Hands-on experience with security product development and large-scale platforms - Exposure to AI-driven automation, agent-based systems, or adaptive workflows - Bachelor’s degree in Computer Science or a related technical field Compensation: The base salary range for this role is $180,000–$220,000, depending on experience, skills, and location. This range reflects the base compensation only. In addition, Pentera offers a comprehensive total rewards package that includes performance-based bonuses, equity opportunities, health and wellness benefits, retirement plans, and other perks designed to support long-term growth and well-being. We are an equal opportunity employer and we are committed to building a diverse and talented workforce. We do not discriminate on the basis of race, sex, religion, colour, national origin, gender, gender identity, sexual orientation, age, marital status, veteran status, medical condition, disability, or any other class or characteristic protected by applicable law. We welcome candidates from all backgrounds to join us!

RegScale is a continuous controls monitoring (CCM) platform that helps organizations automate and scale their security, risk, and compliance programs. We are at an inflection point, transitioning from startup execution to a disciplined, enterprise-ready engineering organization, and we are building the team that will take us there. As a platform handling sensitive security and regulatory data for enterprise and government customers, security is not a compliance checkbox at RegScale. It is a core engineering discipline woven into how we build software. The Role This is a high autonomy role for a seasoned security engineer who thrives at the center of a complex engineering organization. You are the primary application security practitioner at RegScale. You identify where the risk is, build the strategy to address it, and drive initiatives from concept to measurable improvement without a team beneath you and without direct authority over the engineers you depend on to execute. Your reach spans all of engineering including Core Engineering, Platform and AI, Compliance as Code, Quality Engineering, SRE, Infrastructure, and the external security team. You succeed by making engineers more security conscious and embedding security into how software is designed, built, and deployed rather than finding vulnerabilities after the fact. RegScale serves enterprises and government agencies under frameworks like FedRAMP, NIST, and CMMC. This role reports into SRE and Infrastructure and requires deep technical security expertise combined with the organizational influence and end to end ownership mindset needed to make security a shared engineering value. Key Responsibilities - Own the application security program end to end, identifying risks, setting priorities, building strategy, aligning stakeholders, driving implementation across engineering teams, and measuring outcomes. - Conduct threat modeling and security design reviews early in the development process, embedding security thinking into architecture and feature design before code is written. - Partner with developers across all engineering teams to shift security left, coaching on secure coding practices, reviewing code for vulnerabilities, and building security awareness as a shared engineering capability rather than a specialized handoff. - Integrate security tooling and automated security checks into CI/CD pipelines including static analysis, dependency scanning, and secrets detection, ensuring actionable security signals. - Own vulnerability management across the platform, triaging findings from internal testing, external assessments, and tooling, prioritizing remediation based on risk, and driving resolution to completion. - Lead and coordinate penetration testing and security assessments, working with internal and external resources to scope, execute, and translate findings into engineering action. - Define and maintain secure development standards and patterns that engineering teams can adopt, covering areas such as authentication, authorization, API security, and data-handling. - Bridge engineering and the external security team, translating security requirements into engineering priorities and engineering constraints into security strategy, ensuring both sides operate with shared context and mutual accountability. - Support compliance and regulatory requirements including FedRAMP, NIST, and enterprise customer security obligations, working with the Compliance as Code team to ensure security controls are implemented and evidenced effectively. - Assess and address security risks introduced by AI features and integrations, including prompt injection, data exposure through AI interfaces, and third-party model risks, working closely with the Platform and AI team to ensure AI capabilities are built and deployed securely. - Build visibility into the security posture of the platform through metrics, dashboards, and reporting that inform engineering leadership and support customer and auditor conversations. Required Qualifications - 10 or more years of application security experience with a demonstrated track record of owning security programs and driving initiatives end to end across complex engineering organizations. - Deep expertise across the application security domain including threat modeling, secure design review, vulnerability assessment, penetration testing, and secure development practices. - Proven ability to operate as a solo practitioner or small team lead, setting priorities independently, managing competing demands, and delivering outcomes without close supervision. - Strong experience influencing engineering teams without direct authority, building credibility through technical depth, clear communication, and practical solutions that fit the realities of product delivery. - Experience integrating security into CI/CD pipelines and modern software delivery practices, with a shift left mindset that prioritizes prevention over detection. - Solid understanding of cloud security principles and how application security intersects with infrastructure security in a cloud native environment. - Strong written and verbal communication skills, able to articulate security risk, strategy, and tradeoffs clearly to engineering teams, leadership, and stakeholders including customers and auditors. Preferred Qualifications - Experience in regulated industries with compliance frameworks such as FedRAMP, NIST 800-53, CMMC, or SOC 2. Direct FedRAMP authorization or continuous monitoring experience is a strong plus. - Background in enterprise SaaS companies where security scaled across multi-tenant architectures and high stakes regulatory environments. - Experience supporting penetration tests, bug bounty programs, or third-party security assessments and translating findings into prioritized engineering roadmaps. - Familiarity with GRC platforms or compliance automation tools, bringing domain context that makes security decisions more credible with customers. - Familiarity with AI security considerations including securing LLM integrations, prompt injection risks, AI governance, and emerging regulatory expectations around AI in compliance contexts. - Relevant certifications such as OSCP, CISSP, or CSSLP, valued as evidence of structured knowledge, not as a substitute for demonstrated engineering capability. RegScale is only able to hire US Citizens

At ExtraHop, we’re on a mission to protect and empower the connected enterprise. We reveal what is happening in the very infrastructure that sustains businesses, lives, and communities, and ensure the integrity of networks, data, systems, and processes. Organizations rely on ExtraHop to provide visibility into the cyber threats, vulnerabilities, and network performance issues that evade their existing security and IT tools. With this insight, organizations can investigate smarter, stop threats faster, and keep operations running. Our mission is fueled by a profound social and moral responsibility to be the best at what we do, ensuring a secure world where everyone can thrive. If this sounds like a place you’d like to spend the next chapter of your career, we’d love to hear from you. Position Summary Do you like securing complex cloud services and infrastructure? Want to be a part of a collaborative team that builds solutions that protect some of the biggest networks in the world? ExtraHop is seeking a Sr. Product Security Engineer, experienced with modern cloud system development and infrastructure-as-code practices to build and operate product security program capabilities, tools, and processes that allow us to keep pace with a rapidly changing security landscape, reduce security risk and enable organizational success. We're looking for candidates with a mix of cloud security, infrastructure security, security information and event management (SIEM) technologies, DevOps, and software development experience, who enjoy working in a collaborative environment and taking direct action to identify, remediate and prevent vulnerabilities and security issues. You must have experience securing cloud environments and modern computing infrastructure, deploying and operating SIEM tools, and strong familiarity with Infrastructure-as-Code and container technologies. Key Responsibilities - Implement and operate Splunk Cloud Platform and Enterprise Security, including setting up log ingestion from required source systems and ensuring correct parsing and categorization of log events for effective SIEM operations - Implement and operate endpoint detection and response (EDR) and network detection & response (NDR) solutions - Develop system configuration and hardening standards and coordinate with other teams to ensure compliance with those standards - Define standards for secure configuration of application and infrastructure components - Perform threat modeling, security design reviews, code reviews, and consultations with other staff - Build and improve vulnerability management processes and tooling to support system owners to successfully remediate issues - Perform, automate and streamline patching and vulnerability remediation activities - Develop and deliver training on cloud security issues, best practices and internal policies - Select, implement and manage cloud security tools including cloud security posture management (CSPM), network/host/container/IaC vulnerability scanners and configuration auditing - Participate in manual pen testing of new + existing systems - Perform and/or lead security investigation and incident response activities - Participate in an on-call rotation with occasional after-hours paging to review carefully prioritized security detections Required Qualifications - Bachelor’s degree or equivalent experience in computer science, engineering, or information technology - 8+ years of experience in security engineering, software development and/or DevOps, with a focus on securing complex systems and modern cloud infrastructure - Strong experience securing AWS cloud platform and services, including the implementation of guardrails using service control policies (SCPs), IaC policies, CSPM, or similar strategies - Experience implementing Splunk Enterprise Security to monitor cloud-based systems - Experience working with container-based environments (Kubernetes, Docker, LXC, etc.) - Experience securing cloud-based web applications, APIs, data and infrastructure - All R&D Employees will be required to attend 2 mandatory in-person events every year. These events are typically held in our offices in downtown Seattle and run 4-5 days each - Must be a U.S. citizen or national, U.S. permanent resident (current Green Card holder) or lawfully admitted into the U.S. as a refugee or granted asylum - Note: employees, including fully remote staff, are expected to attend two in-person events every year. These events are typically held in our offices in downtown Seattle and run 4-5 days each Preferred Qualifications - Experience securing software-as-a-service (SaaS) and cloud service offerings - Experience with meeting FedRAMP, NIST SP 800-53 and similar compliance requirements - Experience deploying or managing EDR and NDR solutions (such as ExtraHop RevealX) - Experience securing Google Cloud Platform (GCP) and Azure - Experience working in a security operations center (SOC) and/or leading security incident response activities - Solid knowledge of Kubernetes, Git, Python, Terraform, Ansible, and the use of scripting in support of security automation, CI/CD pipelines The salary range for this role is $150,000 - $180,000 + bonus + benefits. ABOUT EXTRAHOP ExtraHop is reinventing Network Detection and Response (NDR) to offer enterprises unparalleled visibility, context, and control against emerging threats. The platform integrates NDR with Network Performance Management (NPM), Intrusion Detection Systems (IDS), and forensics, providing a single, comprehensive solution. By decrypting and analyzing complete packet-level data at wire speed and leveraging cloud-scale machine learning, ExtraHop empowers Security Operations Centers (SOCs) to detect, investigate, and remediate modern cyber risks in real time across their entire hybrid infrastructure, including data center, cloud, and SASE environments. This comprehensive approach and market innovation have earned ExtraHop unique recognition as the only NDR vendor acknowledged as a leader by all major analyst firms, including the 2025 Gartner® Magic Quadrant for Network Detection and Response™, the 2025 Forrester® Wave for Network Analysis and Visibility, the 2024 IDC® Marketscape for NDR, and the 2025 Gigamon® Radar Report for Network Detection and Response. Since 2007, ExtraHop has consistently helped organizations worldwide extract in-depth network telemetry and contextual insights, affirming its commitment to protecting and empowering the connected enterprise. OUR VALUES Our culture is rooted in our five Values. These set the expectations for how we work individually and collectively as a team. Lead with Purpose: We are driven to deliver results that create a positive impact for our customers, partners, and colleagues. Act with Integrity: We operate with transparency, authenticity, and always in the best interest of the company. Find a Way: We are resourceful, tackle hard problems with a sense of urgency and ownership, and do what it takes to get the job done. Innovate: We listen to customers, partners, and the market, and respectfully push boundaries and challenge the status quo. Share Success: We run together, we win together. We value diverse perspectives, hold space for all voices, and achieve the best results as a team. BENEFITS Employees' wellbeing is top of mind for the ExtraHop team. Employees and their families will have the option to participate in the following benefits: - Health, Dental, and Vision Benefits - Flexible PTO, Sick Time Prorated Based on Date of Hire, and All Federal Holidays (US Only) + 3 Days of Paid Volunteer Time - Non-Commissioned Positions may be eligible to participate in the Annual Discretionary Bonus Plan - FSA and Dependent Care Accounts + EAP, where applicable - Educational Reimbursement - 401k with Employer Match or Pension where applicable - Pet Insurance (US Only) - Parental Leave (US Only) - Hybrid and Remote Work Model Our people are our most important competitive advantage, leading the charge against cyber criminals. Join the fight today! To learn more, visit www.extrahop.com or follow us on LinkedIn. Create a Job Alert Interested in building your career at ExtraHop? Get future opportunities sent straight to your email.

• Provide Cybersecurity Engineering and Risk Management Framework (RMF) support for The United States Air Force (USAF) Life Cycle Management Center (AFLCMC) Engineering Directorate (AFLCMC/EN-EZ) Cyber Systems Engineering Division (AFLCMC/EZH). • Provide state-of-the-art technical support for the acquisition of cloud Development Security Operations (DevSecOps) boundary systems within AFLCMC. • Play a critical role in supporting the RMF Assessment and Authorization (A&A) processes for AFLCMC/EN-EZ. • Responsible for the technical implementation of the RMF. • Conduct cybersecurity and risk assessments on networks, systems and applications to identify and mitigate technical and non-technical vulnerabilities. • Handle multiple RMF authorization types, including baseline changes, use cases, Assessment Summary Results (ASR), Authorization to Operate (ATO), CAR, Denial of Authorization to Operate (DATO) & HRR/HR. • Conduct vulnerability assessment and analysis utilizing standard technologies, such as Security Content Automation Protocols (SCAPs), Assured Compliance Assessment Solution (ACAS)/NESSUS scans and DISA Security Technical Implementation Guides (STIGs)/ Security Requirements Guides (SRGs). • Conduct security assessments and create RMF documentation, including Security Assessment Plans (SAPs), eMASS Security Risk Assessment (SARs), Special Access Programs (SAPs) Executive Summary, SAPs Body of Evidence (BOE). • Provide accurate assessments and document security posture, capabilities and vulnerabilities. • Lead the creation of the SAPs and SARs and convey technical findings and risk assessments. • Perform detailed risk analysis, identify system vulnerabilities and provide comprehensive recommendations for risk mitigation. • Verify, validate and document risk, perform Security Control Assessments (SCAs) and document compliant and failed security controls in eMASS. • Assess STIGs and SRGs. • Ensure traceability of all vulnerabilities from raw assessment results to the Plan of Action and Milestones (POA&Ms). • Support the Continuous Security Monitoring (CSM) program as necessary.