Staff Product Security Engineer, Offensive Security

The Offensive Security Team, part of Product Security, actively assesses the security of Okta's products, services, and infrastructure, and we are seeking a highly technical and driven staff-level engineer to contribute to this effort. This role demands more than running vulnerability scans. Excelling here requires a thorough understanding of offensive security testing and a strong drive to identify and leverage security weaknesses. Above all, the most critical attribute of this role is an innate ability to think and operate as a sophisticated adversary. This skill is key to solving security challenges with deep technical expertise and creativity.

The ideal candidate will possess demonstrable expertise in the following areas:

• Cloud Security: In-depth knowledge of AWS security architecture, services, and common attack vectors, with a proven ability to compromise AWS Compute resources. Experience with Google Cloud Compute and Azure is highly desirable.
• Operating Systems: Deep familiarity with Linux and macOS operating systems, including their security features, command-line tools, and common attack surfaces.
• Application Security: Strong understanding of application security principles, common vulnerabilities (OWASP Top 10, etc.), and backend testing methodologies and techniques.
• Authentication Protocols: Familiarity with various authentication and authorization mechanisms, such as SAML, OAuth 2.0, and OIDC, and their associated security considerations
• Automation and Tooling: A strong desire and proven ability to automate security tasks and develop custom tooling to facilitate security reviews and pentesting
• TechOps: Experience with TechOps tooling and processes, such as Chef, Kubernetes, Terraform, and ArgoCD, enabling a comprehensive understanding of the operational environment.
• Communication: Excellent written and verbal communication skills with the ability to clearly and concisely articulate vulnerabilities and remediation strategies to technical and non-technical audiences

We actively encourage and support the external publication of impactful security research and findings through papers, blog posts, and presentations at industry conferences.

What You Will Do

• Apply attacker mindset to identify, plan, and exploit complex security gaps across app, cloud, and network layers.
• Conduct targeted security assessments and pentests; deliver actionable findings, detailed exploit recreation, and architectural remediation guidance.
• Act as a security SME across internal teams and represent Okta in internal and external forums when appropriate.
• Design and deploy disposable, repeatable, verifiable automation and infrastructure to support rapid, on-demand security engagements.
• Periodically triage internal vulnerability tickets and external bug bounty submissions.
• As needed, design and deploy tooling, automation, or infrastructure to support security engagements.
  
  

What You Bring

• Demonstrable experience in penetration testing web applications and infrastructure (5+ years preferred)
• Strong expertise in securing cloud environments (AWS, GCP, Azure)
• Proven ability to identify and demonstrate security vulnerabilities in infrastructure
• Familiarity with Threat Modeling concepts and frameworks
• Experience with Infrastructure as Code (e.g., Terraform) for building and testing environments.
• Solid understanding of modern cryptographic principles and their application
• Experience in automating security testing and streamlining offensive tasks.
• Ability to think strategically and develop comprehensive attack scenarios
• Effective communication skills for conveying technical security findings to various audiences
• A proactive approach to learning about emerging threats and developing new security techniques.
• Experience or interest in mentoring and sharing knowledge with team members.

#LI-REMOTE

#LI-SH1