Role Description The Principal Cybersecurity Engineer will be responsible for: - Defining project-level cybersecurity requirements. - Designing and developing security solutions to mitigate product cybersecurity risks. - Understanding medical device products and clinical applications to identify potential cybersecurity threats and develop mitigations. - Performing threat modeling, vulnerability testing, security risk analysis, and security assessments. - Reviewing security architecture and designs. - Securing medical devices, medical device software, and IT software against cyber threats. - Leading cybersecurity risk assessments and cyber signal incident responses and investigations. - Leading cross-functional teams. - Coordinating strategic supplier and partner relationships. Qualifications - Master’s in Cybersecurity, Computer Science, Telecommunications, or closely related field. - 4 years of experience in cybersecurity-related positions in a medical device R&D environment. Requirements - Performing threat modeling of regulated medical devices using STRIDE. - Assessing cybersecurity risk to patient safety and Protected Health Information (PHI). - Creating security designs and requirements based on user needs. - Applying security technologies to medical device product designs within software and hardware, including network security, encryption, firewalls, and TPM. - Leading cross-functional teams in reviewing security architecture and design. - Applying cybersecurity standards, including NIST CSF, NIST SP 800-30, AAMI TIR57, and AAMI TIR 97. - Creating documentation for regulatory submissions, including cybersecurity management plans, threat model reports, security risk and cyber signal assessments, MDS2, and SBOM. - Applying cybersecurity and secure design principles to medical device products in compliance with FDA Cybersecurity Guidance for Medical Devices. - Conducting security testing and vulnerability scanning using Burp Suite, Wireshark, and Nessus. - Analyzing findings with qualitative risk prioritization, including CVSS and OWASP. - Planning and overseeing penetration testing with third-party testers. - Developing cybersecurity policies and procedures. Benefits - Health care. - Vision. - Dental. - Retirement. - PTO. - Sick leave. Company Description Bayer Healthcare LLC is an Equal Opportunity Employer/Disabled/Veterans. The company is committed to providing access and reasonable accommodations in its application process for individuals with disabilities and encourages applicants with disabilities to request any needed accommodation(s).

Role Description Planejar e executar operações ofensivas (Red Team engagements, Adversary Simulation/Emulation) contra a infraestrutura, aplicações e processos do iFood Pago, simulando adversários reais com foco em impacto financeiro. - Realizar testes de segurança em aplicações web, APIs (REST/GraphQL/gRPC) e aplicações mobile (Android e iOS), incluindo análise estática, dinâmica e de runtime. - Realizar testes e avaliar a segurança de ambientes cloud-native, incluindo Kubernetes, containers, service meshes. - Conduzir testes de segurança em sistemas AI-powered, identificando vulnerabilidades como prompt injection, model manipulation, data poisoning, bypass de guardrails, entre outras. - Desenvolver automações, ferramentas ofensivas e integrações utilizando AI/LLMs para escalar processos e aprimorar a identificação e exploração de vulnerabilidades. - Documentar findings com clareza, demonstrando impacto real ao negócio e propondo planos de ações para correção. - Colaborar com Blue Team e CSIRT em exercícios de Purple Team, contribuindo para melhoria contínua de detecção e resposta. - Manter-se atualizado sobre TTPs emergentes, especialmente aquelas direcionadas ao setor financeiro e de pagamentos na América Latina. Qualifications - Experiência em Red Team operations e Penetration Testing em ambientes corporativos. - Domínio em testes de segurança de aplicações web e APIs, incluindo vulnerabilidades além do OWASP Top 10 (broken authentication, mass assignment, BOLA/IDOR, race conditions, business logic flaws em fluxos financeiros). - Experiência em segurança mobile (Android/iOS): reversing de APKs/IPAs, hooking com Frida, bypass de certificate pinning, análise de armazenamento local, etc. - Conhecimento prático em segurança de ambientes cloud-native: Kubernetes (RBAC, pod escape, service account abuse), Docker (container breakout), AWS/GCP (privilege escalation, misconfiguration exploitation). - Experiência com infraestrutura de Red Team: C2 frameworks (Cobalt Strike, Sliver, custom C2), redirectors, OPSEC, evasão e persistência. - Habilidade em programação e scripting (Python, Go, Bash) para desenvolvimento de tooling ofensivo e automações. - Conhecimento do MITRE ATT&CK Framework e capacidade de mapear operações a TTPs relevantes. - Familiaridade com protocolos e sistemas financeiros é um diferencial forte. - Traduzir findings técnicos em risco de negócio para diferentes audiências. Requirements - Experiência em testes de segurança de sistemas baseados em LLMs/AI (prompt injection, jailbreaking, tool-use abuse, data exfiltration via AI agents). - Uso de AI/LLMs para automação de tarefas ofensivas (triagem de vulnerabilidades, geração de payloads, análise de código, reconhecimento automatizado). - Participação em programas de bug bounty com track record relevante. - Publicação de pesquisas, CVEs, write-ups ou palestras em conferências de segurança. - Certificações relevantes (OSCP, OSEP, OSWE, CRTO, CARTE, CRT, eMAPT). - Experiência prévia em fintechs, bancos ou empresas de pagamentos. Benefits - Buscamos uma pessoa apaixonada por segurança da informação, que esteja sempre em busca de novos aprendizados e que goste de desafios.

• Cloud Security Architecture & Hardening: Lead security hardening across AWS and GCP environments, including identity and access management, network segmentation, logging, monitoring, configuration hygiene, and secure cloud architecture patterns. You will help define standards that scale across teams and cloud platforms. • Cloud Risk Ownership: Own and mature Engine’s approach to identifying, prioritizing, and remediating cloud security risks. You will assess systemic risk, separate high-priority issues from low-value noise, and drive practical remediation in partnership with infrastructure and engineering teams. • Orca Findings Management: Own the end-to-end lifecycle of Orca findings, including monitoring new alerts, triaging severity, identifying root cause, tracking remediation, and driving findings to closure with the appropriate technical owners. • Cloud Alert Response: Serve as a primary responder for cloud-specific security alerts. You will help improve detection quality, reduce response time, and ensure cloud-originated threats are investigated and addressed effectively. • Infrastructure-as-Code Security: Partner with teams using Terraform and related infrastructure-as-code workflows to review, improve, and harden cloud configurations before risk reaches production. • AI Cloud Security: Help secure Engine’s expanding AI-related cloud footprint by identifying risks related to sensitive data, elevated IAM permissions, new service integrations, model/data access patterns, and infrastructure configurations. • Cross-Functional Collaboration: Partner closely with infrastructure, platform, engineering, SecOps, and security leadership to move security work forward. You will adapt your messaging across audiences, build trust with technical teams, and influence decisions without relying on direct authority. • Cloud-Native Threat Detection: Collaborate with SecOps to improve cloud telemetry, cloud-specific detection logic, SIEM signal quality, and response workflows for threats such as credential abuse, lateral movement, misconfigured storage, and data exfiltration. • Security Standards & Advocacy: Build clear, actionable cloud security guidelines, guardrails, and best practices for engineering teams. You will help create the paved paths that allow Engine to move quickly while reducing cloud security risk.

• Operate and continuously improve the security enterprise platforms through effective controls, detections, monitoring, and incident response. • Configure and manage IAM, access controls, and contextual access policies in line with least-privilege principles and secure access standards. • Manage and maintain the company’s MDM/EDR capabilities, ensuring endpoint visibility, policy coverage, timely updates, and organization-wide adoption. • Review new tools, workflows, and third-party integrations, including SaaS, AI tools, MCPs, and plugins—and provide practical security guidance to reduce operational risk while enabling the business. • Drive and improve the company’s security awareness program, helping users operate safely through practical guidance and support. • Monitor emerging attacks, vulnerabilities, and threat actor tradecraft, and turn that knowledge into practical defensive improvements across the company. • Apply adversarial thinking and practical threat modeling to identify realistic attack paths and improve operational resilience across user workflows, enterprise tooling, and internal systems. • Help define and improve security policies, standards, best practices, and configuration baselines for internal systems and business tooling.