Offensive Security Engineer

Sao Paulo (Remote) / Argentina (Remote) / Montevideo (Remote) / Brazil (Remote)
IT – Infosec & Compliance /
Full Time /
Remote
Apply for this job
Why you should join dLocal?

dLocal enables the biggest companies in the world to collect payments in 40 countries in emerging markets. Global brands rely on us to increase conversion rates and simplify payment expansion effortlessly. As both a payments processor and a merchant of record where we operate, we make it possible for our merchants to make inroads into the world’s fastest-growing, emerging markets. 

By joining us you will be a part of an amazing global team that makes it all happen, in a flexible, remote-first dynamic culture with travel, health, and learning benefits, among others. Being a part of dLocal means working with 800+ teammates from 25+ different nationalities and developing an international career that impacts millions of people’s daily lives. We are builders, we never run from a challenge, we are customer-centric, and if this sounds like you, we know you will thrive in our team.

What’s the opportunity?

    • Assess network, environment, or technologies;
    • Write tooling to assist with offensive security assessment;
    • Conduct discovery activities to map environments;
    • Build, conduct, and participate in offensive security exercises;
    • Perform penetration testing (application, API, mobile, infrastructure), vulnerability scanning (internal and external), code reviews and design/architecture reviews;
    • Work closely with development teams to mitigate or remediate security vulnerabilities;
    • Empower developers to do their jobs securely without creating additional friction;
    • Educate our engineers about security in application code and infrastructure;
    • Educate our non-technical employees about security good practices and attacks;
    • Assist in Incident Response activities (if it involves Security);

What skills do I need?

    • Advanced background in Offensive Security (Red Team active participation);
    • Strong understanding of vulnerabilities, common attack vectors and how to solve/fix them;
    • A great eye to identify/analyze attacks on company assets and also simulate internal/external attacks (Ethical Hacker mindset);
    • Well-rounded background in host, network and application security (Web, API and Mobile);
    • Huge familiarity with threat analysis (malware, phishing, social engineering, etc);
    • Attacker mindset ability to think about creative threats and attack vectors;
    • Knowledge in tailored reconnaissance, weaponization, exploitation and lateral movement;
    • Know-How of Threat modeling in a cloud environment;
    • Experience with common security tools including but not limited to: Nmap, SQLmap, Metasploit, Kali Linux (OS), Burp Suite, Qualys/WAS, ZAP Proxy, Prowler, Censys/Shodan and others;
    • Familiarity with implementation and maintenance of SAST/DAST/IAST sensors;
    • In-depth knowledge of OWASP10, SANS25 and other world-known security frameworks;
    • Understanding of a complete SDLC and how to make it secured (S-SDLC)
    • Familiarity with Cloud platforms (AWS or equivalent);
    • Ability to lead people to problem resolution when it comes to Security (Integrate teams, especially Engineering Team);
    • Effective written and oral communication involving both business and technical sides of the business;
    • Quickly identify issues and solve them;
    • Ability to present technical risks to a broader audience (both written and spoken);

Nice to have!

    • Experience on research of vulnerabilities and development of exploitation tools
    • Building and automating common Red Team processes and activities
    • Knowledge of security architectures, both monoliths and microservices, including how they are developed and operate at scale
    • Certification or equivalent knowledge (DCPT/OSCP/OSCE/OSWP/OSWE/CEH)
    • Exposure to PCI-DSS framework or any other relevant security standard will be valued
    • Have previously participated as speaker (or just participated in the activities) on Security conferences like DefCon, MindTheSec, EkoParty, Hackaflag, Bhack, You sh0t the sheriff, CryptoRave, etc
    • Active participation in CTFs and also Bug Bounty programs

What happens after you apply?

Our Talent Acquisition team is invested in creating the best candidate experience possible, so don’t worry, you will definitely hear from us. We will review your CV and keep you posted by email at every step of the process!

Also, you can check out our webpageLinkedinInstagram, and Youtube for more about dLocal!
Apply for this job

dLocal Home Page

Jobs powered by Lever logo