Role Description As a Staff Product Security Engineer, you will play a critical role in safeguarding Okta’s products by: - Conducting comprehensive security reviews. - Guiding engineering teams in secure development practices. - Handling externally reported vulnerabilities. - Engaging in code reviews, penetration testing, and architectural security assessments. This role is not suited for individuals who rely solely on automated vulnerability scanning. Instead, you must possess a deep technical understanding of: - Web applications. - Backend services. - Penetration testing methodologies. - Secure design principles. A successful candidate will have: - Expertise in authentication protocols (SAML, OAuth, OIDC). - Threat modeling experience. - A strong desire to automate security processes by building tools that proactively identify vulnerabilities. - Ability to communicate risks, impact, and remediation strategies to developers, leadership, and external audiences. - A deep technical background in assessing AI-integrated software architectures and securing Large Language Models (LLMs). - An attacker mindset—thinking critically, creatively, and like an adversary when solving security challenges. We actively support public disclosure of research and findings through white papers, blog posts, and conference presentations. Qualifications - Expertise in identifying OWASP Top 10 / CWE Top 25 vulnerabilities through manual code review. - Strong experience in penetration testing and secure development practices. - Deep technical background in assessing Large Language Models (LLMs) and securing AI-integrated software architectures. - Proficiency in multiple programming languages (e.g., Java, Go, Python, C/C++). - Deep understanding of authentication & authorization protocols (OIDC, SAML, OAuth). - Strong communication skills to explain risks and remediation to developers and leadership. - Ability to automate security testing using LLMs and scripting (Python, Bash, etc.). - Experience leading security incidents and risk assessments. Requirements - Experience in mobile (iOS/Android) and desktop (Windows/macOS) security testing. - Familiarity with SAST, DAST, SCA, and fuzzing tools. - Strong cryptographic knowledge and secure implementation practices. - Experience analyzing network protocols and traffic security. - Ability to develop proof-of-concept exploits to demonstrate vulnerabilities. Benefits - Annual base salary range for this position for candidates located in Spain is between €74.000 and €101.000 EUR. - Equity (where applicable) and bonus. - Comprehensive healthcare coverage and financial benefits including paid time off and parental leave.

Title: Federal Cyber Security Analyst Location: Remote (U.S., New York Preferred) About Rhymetec: Rhymetec was founded in New York City in 2015, growing steadily in the areas of compliance, cyber security and data privacy. Our mission is to ensure our clients are compliant faster, so they can focus on their core business and less on the complexities of building effective and compliant infosec programs. This role is fully remote. Job Description: The Federal Cyber Security Analyst (FCSA) will be responsible for architecting, developing, and implementing solutions that help Rhymetec's clients achieve, manage and measure security metrics and compliance requirements. The role will work closely with their team to help design and deliver security and compliance objectives and have the ability to help drive foundational changes in internal cloud platforms to enhance their security posture. The ideal candidate will have a team first mentality and fit within the core values and culture at Rhymetec, along with project management experience and knowledge with customized compliance road maps for clients. This person will be responsive to both customers and team members with communications, be detail oriented, and hold a high level of autonomy to complete work on time and with quality. Responsibilities: - Prepare agendas and reference documents for meetings with clients. - Assist in building and managing cyber security programs for Rhymetec’s customers based on industry standard cyber security compliance frameworks. - Conduct meetings with clients regularly. - Configure performance monitoring alarms, security alarms, IDS/IPS in AWS, Azure, GCP, Datadog and other cloud infrastructures. - Set up supporting security applications. - Set up mobile device management applications such as Jamf, Jumpcloud, Microsoft Endpoint manager, Hexnode, etc. - Configure and maintain compliance monitoring platforms. - Conduct internal audits, risk assessments, and generate reports. - Conduct Incident Response Tabletop exercises with clients. - Conduct Business Continuity and Disaster recovery tabletop exercises with clients - Document and lead incident response process should an incident arise. - Translate CMMC, FedRAMP, GovRAMP, TX-RAMP (preferred) controls into actionable items for clients. - Conduct employee access reviews, SaaS vendor security assessments, and gap assessments. - Triage bug/vulnerability reports from security researchers. - Complete security questionnaires on behalf of clients. - Draft supporting documents for clients’ information security management systems and information security policies. - Gather and maintain evidence of compliance for various frameworks. - Lead engagements with auditors on behalf of clients. - Communicate tasks to clients’ employees and educate clients on security best practices. Qualifications: - Bachelor's Degree from an accredited university in a Technology or Cybersecurity field OR 4+ years of direct experience in listed areas. - 3+ years of work experience working with cybersecurity and regulatory compliance. - Experience in customer service and ability to develop professional relationships with customers. - Extensive knowledge of compliance, regulatory frameworks, and implementing CMMC, FedRAMP, GovRAMP, TX-RAMP, and other various federal frameworks. - Strong logical security skills, with experience in cloud security. - Understanding of cloud environments (AWS, GCP, Azure) and integrating security controls through DevOps and Infrastructure as a Service (IaaS) techniques. - Certifications are preferred. - Quarterly travel may be required. Benefits Rhymetec offers a robust employee package, including: - Employee covered medical premiums (100%) - Dental and Vision Benefits - PTO and Sick Time, including 11 paid Holidays - 401K retirement plans with company match options - Company paid Life Insurance - Annual Subscription to TalkSpace (online counseling & therapy service) - Summer Fridays! Rhymetec is committed to creating a diverse environment and is proud to be an equal-opportunity employer. All qualified applicants will receive consideration for employment regardless of race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetic, disability, age, or veteran status.

• This role leads a team that delivers traditional web application penetration testing, Defense-in-Depth assessments extending beyond the web layer, and Red Team engagements • Shape an automation-first and intelligence-driven offensive security program • Ensure offensive security services evolve from point-in-time testing toward a continuous assurance model • Hire, lead, coach, and retain an expert team; establish goals, role clarity, performance expectations, and development plans • Define and execute the offensive security strategy • Own end-to-end engagement delivery for web application penetration testing, Defense-in-Depth assessments, and Red Team operations • Manage vendor relationships supporting Red Team activities • Partner with vulnerability management, product security, engineering, and infrastructure teams to ensure findings are actionable, prioritized, tracked, and re-tested as appropriate • Define and maintain assessment methodologies, reporting standards, and measurable KPIs

• Lead the deployment and configuration of BeyondTrust Endpoint Privilege Management (EPM) across the organization • Design, implement, and fine‑tune EPM policies, rules, and configurations for different user groups and environments • Work with Security / IAM / IT to plan and execute a phased rollout with early adopters, business teams, and then engineering • Collaborate with internal stakeholders to gather feedback on the rollout and adjust policies and settings accordingly • Create and maintain documentation which includes configuration guides, runbooks, deployment procedures, and best practices • Contribute to testing and validation of EPM policies to minimise user disruption while maintaining strong security controls • Identify opportunities to automate deployment, configuration, and ongoing management (e.g. via scripting in PowerShell, Bash, Python, etc.) • Monitor progress against agreed project timelines and milestones, escalating risks or blockers when needed • Work closely with the wider Identity & Access Management team to align EPM configuration with existing IAM standards and processes • Provide knowledge sharing and basic enablement to internal teams on how to work effectively with the new EPM solution