.
← All roles

Web Application Penetration Tester

Engineering · In-Person Sydney / Remote USA · Full-time

Apply for this role

Nullify runs autonomous security work most teams can't staff for. This role is the human edge of that — validating what our agents find, going after what they can't, and feeding every technique back into the system so it gets sharper.

What you'll do

  • Run deep, manual web app pentests against customer surface area that automated scanning alone won't catch — auth flows, business logic, multi-step exploit chains.
  • Turn novel findings into reproducible techniques that get encoded back into Nullify's detection and validation agents.
  • Partner with customer security teams during engagements, from scoping through report-back.
  • Keep pace with the frontier: new frameworks, new auth patterns, new classes of vulnerability.

What you bring

  • Real-world experience finding and exploiting vulnerabilities in production web applications — OWASP Top 10 and beyond.
  • Comfort working close to the metal: reading application code, tracing requests, building custom tooling when off-the-shelf doesn't cut it.
  • A bias toward proof over speculation — you validate before you report.
  • Bonus: experience training or evaluating AI systems on security tasks.

Apply Now

Tell us a bit about yourself — we read every application.

Max file size 10MB.
Uploading...
fileuploaded.jpg
Upload failed. Max size for files is 10 MB.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.