About the position
We're hiring a Senior Penetration Tester to help defend our fintech platform against large-scale payment fraud, carding attacks, and other financially motivated threats. You'll lead offensive security assessments targeting our transaction systems, authentication flows, and APIs - with a heavy focus on automation and scalability. Your work will directly impact our fraud defenses, detection strategy, and customer trust.
This is a highly technical, hands-on role for someone who thrives in a fast-paced, high-stakes fintech environment.
This position will be Hybrid (Tuesdays & Wednesdays) out of our Pleasanton, CA office.
Responsibilities
• Lead penetration testing engagements focused on payment abuse, transaction manipulation, and business logic exploitation.
• Design and execute automated attack simulations to test our defenses against:
Carding and BIN attacks
• Credential stuffing and account takeovers
• Checkout and payment flow abuse
• API-level enumeration and fraud
• Build custom tooling and frameworks to mimic the behavior of real-world fraudsters and cybercriminals.
• Partner with fraud engineering, product security, and risk teams to identify weak points in our controls, detection systems, and architecture.
• Conduct threat modeling and red teaming exercises related to payments, authentication, and user account abuse.
• Document findings in technical reports with clear risk impact, exploitability, and remediation guidance.
• Mentor junior testers and contribute to a culture of security innovation and continuous improvement.
Requirements
• 7+ years of experience in offensive security, penetration testing, or red teaming.
• Strong background in payment systems, financial fraud tactics, and transaction-level attack surfaces.
• Fluency in scripting and automation (e.g., Python, JavaScript, Go, Bash) to simulate attacker workflows at scale.
• Familiarity with tools like Burp Suite Pro, Selenium, Scapy, ffuf, SQLMap, Metasploit, and bot automation frameworks.
• In-depth knowledge of fintech technologies (e.g., tokenized payments, card vaulting, 3DS, ACH, real-time payment APIs).
• Solid grasp of common attacker techniques: carding, fake identity generation, bypassing rate limits, evading fraud filters, and abusing web/app logic.
• Strong communication skills for explaining findings to both technical and non-technical audiences.
• Certifications: OSCP, OSEP, GWAPT, GPEN, GCPN, GXPN, GX-PT, CPSA/CRSA by CREST, CHECK, or TIGER.
Nice-to-haves
• Prior experience in a fintech, digital banking, or payment gateway environment.
• Familiarity with OWASP Automated Threats, PCI DSS, MITRE ATT&CK for Financial Services, or fraud detection systems.
• Experience building or testing real-time risk scoring engines and fraud defense pipelines.
Benefits
• 401k with employer match
• medical
• dental
• vision
• 12 paid holidays in the year 2025
• 1 hour of sick pay accrual for every 30 hours worked
• parental leave
• life insurance
• disability insurance
• accident and illness insurance
• health and dependent care flexible spending accounts
• wellness benefits
• flexible time off for all full-time employees