Offensive Security Engineer

At Klaviyo, we value the unique backgrounds, experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day. We believe everyone deserves a fair shot at success and appreciate the experiences each person brings beyond the traditional job requirements. If you're a close but not exact match with the description, we hope you'll still consider applying. Want to learn more about life at Klaviyo? Visit careers.klaviyo.com to see how we empower creators to own their own destiny.
Klaviyo is searching for our next Offensive Security team member. This position is a unique opportunity to develop tools and techniques for offensive web application penetration testing. You will execute against our existing code base, while also testing new features / functionality. You will work to protect Klaviyo, our customers, and their data. This position will require you to use your technical expertise to study the Klaviyo web application, find and verify risks, and work with engineering teams to address any findings.
The ideal candidate will be an offensive cybersecurity professional with a passion for analyzing codebases, testing hypotheses, and designing tools to impact web applications and their infrastructure. Responsibilities include triaging bug reports, assisting engineering teams with mitigation, and conducting manual web application testing using tools like Burp Suite Professional. Proven experience in compromising web applications and APIs in cloud environments, scripting for security testing, and clear communication of vulnerabilities is essential.
How you'll make a difference:

• Partner with Engineering, Product, IT, and other business functions to drive security improvement across the organization
• Research emerging attack vectors, vulnerabilities and techniques
• Utilize your offensive skills to identify weaknesses and build defenses against those who may point their attacks at Klaviyo
• Develop custom payloads and exploits
• Emulate adversaries by attacking web applications, supporting services, and cloud platforms
• Collaborate closely with detection engineers to build high fidelity alerting based on emerging attack vectors and tactics, techniques and procedures
• Triage and respond to bug bounty submissions related to the application
• Actively participate in purple-team exercises to mature the security program

Qualifications:

• 4+ years of experience in offensive security engineering disciplines (red teaming, penetration testing, fuzz testing, etc.).
• Web application / API offensive security testing is a must have
• Experience using open source and commercial scanners / exploit tools such as Burp / Nessus / OWASP ZAP as a reconnaissance tool.
• Demonstrated application of cyber threat intelligence open source or commercial to guide testing / exploitation.
• Substantial scripting or developing in Python during the past 2 years.

The pay range for this role is listed below. Sales roles are also eligible for variable compensation and hourly non-exempt roles are eligible for overtime in accordance with applicable law. This role is eligible for benefits, including: medical, dental and vision coverage, health savings accounts, flexible spending accounts, 401(k), flexible paid time off and company-paid holidays and a culture of learning that includes a learning allowance and access to a professional coaching service for all employees.
Base Pay Range For US Locations:
$123,200 - $184,800 USD
Get to Know Klaviyo
We're Klaviyo (pronounced clay-vee-oh). We empower creators to own their destiny by making first-party data accessible and actionable like never before. We see limitless potential for the technology we're developing to nurture personalized experiences in ecommerce and beyond. To reach our goals, we need our own crew of remarkable creators-ambitious and collaborative teammates who stay focused on our north star: delighting our customers. If you're ready to do the best work of your career, where you'll be welcomed as your whole self from day one and supported with generous benefits, we hope you'll join us.
Klaviyo is committed to a policy of equal opportunity and non-discrimination. We do not discriminate on the basis of race, ethnicity, citizenship, national origin, color, religion or religious creed, age, sex (including pregnancy), gender identity, sexual orientation, physical or mental disability, veteran or active military status, marital status, criminal record, genetics, retaliation, sexual harassment or any other characteristic protected by applicable law.
IMPORTANT NOTICE: Our company takes the security and privacy of job applicants very seriously. We will never ask for payment, bank details, or personal financial information as part of the application process. All our legitimate job postings can be found on our official career site. Please be cautious of job offers that come from non-company email addresses (@klaviyo.com), instant messaging platforms, or unsolicited calls.