Staff Security Engineer, Product
About the role
The Staff Security Engineer at Rogo is responsible for conducting offensive security assessments and developing intelligent security automation to harden the AI-driven platform, APIs, and cloud infrastructure.
Responsibilities
- Conduct hands-on penetration testing and red team assessments against Rogo's applications, APIs, AI/ML pipelines, and cloud environments on a continuous basis.
- Build agentic security tooling that finds, validates, and patches vulnerabilities end-to-end, minimizing manual intervention.
- Develop and maintain custom offensive tooling, exploit chains, and attack simulations tailored to Rogo's AI platform and architecture.
- Perform deep adversarial testing of AI-specific attack surfaces such as prompt injection, model manipulation, data poisoning vectors, agent-based workflows, and tenant isolation boundaries.
- Own vulnerability research and bug hunting across the product, go beyond scanner output to find logic flaws, auth bypasses, and chained exploits.
- Design and execute threat modeling sessions with engineering teams, translating offensive findings into concrete, prioritized remediation that ships in the same sprint.
- Lead purple team exercises: collaborate with infrastructure and engineering teams to test detection and response capabilities against your offensive scenarios.
- Own the relationship with external pen test firms and drive remediation of findings to closure.
- Share offensive tradecraft, emerging attack techniques, and lessons learned with engineering and leadership to continuously raise security awareness.
Requirements
Professional penetration testing experience across web apps, APIs, cloud environments, and ideally AI/ML systems. Written real exploits, not just run scanners. Built or excited to build agentic security tooling that autonomously finds, validates, and patches vulnerabilities, minimizing human-in-the-loop remediation. Professional development experience in a strongly typed language (e.g., Rust, Go, Java, C++) alongside scripting languages (Python, Bash) for exploit development and tooling. Integrated automated security checks into CI/CD pipelines (SCA, SAST, DAST) and understand how to give developers fast, actionable feedback without blocking velocity. Comfortable with infrastructure automation (Terraform, Kubernetes) and can identify misconfigurations and attack paths in AWS/GCP environments. Communicate crisply and can collaborate effectively with developers, product teams, and leadership. Applied knowledge of threat modeling, cryptography fundamentals, and compliance frameworks (SOC 2, ISO 27001/42001, NIST CSF).
Qualifications
Great candidates often have professional penetration testing experience across web apps, APIs, cloud environments, and ideally AI/ML systems. Written real exploits, not just run scanners. Built or are excited to build agentic security tooling that autonomously finds, validates, and patches vulnerabilities, minimizing human-in-the-loop remediation. Professional development experience in a strongly typed language (e.g., Rust, Go, Java, C++) alongside scripting languages (Python, Bash) for exploit development and tooling. Integrated automated security checks into CI/CD pipelines (SCA, SAST, DAST) and understand how to give developers fast, actionable feedback without blocking velocity. Comfortable with infrastructure automation (Terraform, Kubernetes) and can identify misconfigurations and attack paths in AWS/GCP environments. Communicate crisply and can collaborate effectively with developers, product teams, and leadership. Applied knowledge of threat modeling, cryptography fundamentals, and compliance frameworks (SOC 2, ISO 27001/42001, NIST CSF).
Skills
Experience testing multi-tenant SaaS platforms serving regulated industries (financial services is a strong plus). Hands-on cloud penetration testing experience in AWS or GCP (privilege escalation, cross-account attacks, metadata abuse). Kubernetes security testing (RBAC abuse, container escapes, admission controller bypasses, network policy evasion). Bug bounty track record or published CVEs / security research. Experience in customer-facing security conversations, deep-dive technical sessions, pen test debrief calls, and security architecture reviews.
Benefits
Rogo offers competitive compensation packages, including a comprehensive benefits program that includes health insurance, retirement plans, and paid time off. We also provide opportunities for professional growth and development, as well as a supportive and inclusive work environment.
Pay
We offer highly competitive salaries commensurate with experience and qualifications.
Schedule
We offer flexible work schedules to accommodate your needs and preferences.