Nullify runs autonomous security work most teams can't staff for. This role is the human edge of that — validating what our agents find, going after what they can't, and feeding every technique back into the system so it gets sharper.
What you'll do
- Run deep, manual web app pentests against customer surface area that automated scanning alone won't catch — auth flows, business logic, multi-step exploit chains.
- Turn novel findings into reproducible techniques that get encoded back into Nullify's detection and validation agents.
- Partner with customer security teams during engagements, from scoping through report-back.
- Keep pace with the frontier: new frameworks, new auth patterns, new classes of vulnerability.
What you bring
- Real-world experience finding and exploiting vulnerabilities in production web applications — OWASP Top 10 and beyond.
- Comfort working close to the metal: reading application code, tracing requests, building custom tooling when off-the-shelf doesn't cut it.
- A bias toward proof over speculation — you validate before you report.
- Bonus: experience training or evaluating AI systems on security tasks.