Security Engineer – Red Team & Offensive Security

Security Engineer – Red Team & Offensive Security

About The Role:

Sitecore is seeking a proactive and technically skilled Security Engineer with a focus on Red Team and offensive security operations. This role will support security testing and hardening efforts across Sitecore’s cloud-native and SaaS products by leading and managing penetration testing, vulnerability management, bug bounty coordination, and code security initiatives.

The engineer will work closely with product engineering teams, security stakeholders, and external partners to identify, assess, and drive the remediation of vulnerabilities. The ideal candidate should be deeply familiar with threat actors, modern attack vectors, and best practices for secure application and infrastructure design.

Key Responsibilities:

Penetration Testing & Red Team Operations

• Own and manage the penetration testing calendar across products and infrastructure.
• Coordinate with external partners for scheduled and ad-hoc security testing.
• Analyze and triage findings, produce detailed test reports, and follow up on remediation efforts.

Vulnerability Management (Wiz)

• Perform regular scanning and analysis using Wiz for cloud and infrastructure vulnerabilities.
• Prioritize findings based on risk, exploitability, and business impact.
• Track and report on remediation progress across teams and ensure compliance with internal SLAs.

Code Security (Wiz Code)

• Work with development teams to integrate secure coding practices and manage static analysis via Wiz Code.
• Review and triage security findings in application code, guiding engineering teams on remediations.

Bug Bounty Program (HackerOne)

• Coordinate Sitecore’s Bug Bounty Program with HackerOne, reviewing reports, validating findings, and managing triage workflows.
• Collaborate with researchers and internal stakeholders to assess and resolve reported vulnerabilities.

Attack Surface Management

• Continuously monitor Sitecore’s external and internal attack surface.
• Proactively identify exposed assets, misconfigurations, or gaps that may lead to exploitation.

Threat Intelligence & Security Research

• Stay current with evolving threat landscapes, vulnerabilities (CVEs), and TTPs (Tactics, Techniques, and Procedures).
• Share intelligence and recommendations with internal teams to strengthen defenses and design.

Cross-Team Collaboration & Reporting

• Work closely with Engineering, Cloud, and Product Security teams to share findings, improve visibility, and reduce exposure.
• Maintain detailed documentation, dashboards, and status reports on open vulnerabilities, tracking remediation timelines and SLAs.

 What You Need to Succeed:

• 3–6 years of experience in application security, penetration testing, or red team operations.
• Hands-on experience with tools like Wiz, Wiz Code, Burp Suite, Nmap, Metasploit, and scripting for automation.
• Familiarity with OWASP Top 10, cloud-native security (Azure, AWS), and container security best practices.
• Strong understanding of vulnerability management lifecycle, secure SDLC, and offensive security techniques.
• Experience managing or participating in bug bounty programs is a strong plus.
• Security certifications such as OSCP, GWAPT, GPEN, or CEH are a plus.
• Excellent written and verbal communication skills with the ability to present technical concepts to non-technical audiences.

Work Conditions

• Based in KL, with working hours aligned to U.S. Central or Eastern time zones.
• Occasional after-hours availability may be required for coordinating tests or responding to time-sensitive findings.
• Requires close collaboration with globally distributed engineering and security teams.