Remote Senior Penetration Testing Security Engineer – Advanced Web/API & Embedded Device Vulnerability Research for bolthires Devices & Services

```html About bolthires Devices & Services Trust & Security (DSTS) bolthires’s Devices & Services Trust & Security organization (DSTS) is the guardian of the digital safety behind millions of consumer experiences—from the voice that powers Alexa to the smart camera that watches over homes, from the Kindle that delivers books to the Ring doorbell that secures front‑door access. Since its inception in 2014, DSTS has built a reputation for relentless innovation, high‑impact security engineering, and a culture that thrives on curiosity, collaboration, and a deep sense of responsibility to protect our customers’ data and trust. Our mission is simple yet profound: protect the privacy, security, and safety of every bolthires customer who interacts with any of our devices or services. To achieve this, we blend offensive security testing, threat modeling, automated tooling, and hands‑on hardware analysis. The work we do not only finds vulnerabilities – it builds the security foundations that future bolthires products will inherit. Why This Role Matters The Remote Senior Penetration Testing Security Engineer is the front‑line attacker‑mind in our security team. You will spearhead comprehensive security assessments across a sprawling ecosystem that includes web applications, RESTful APIs, embedded firmware, bootloaders, secure enclaves, and machine‑learning‑driven services. Your discoveries will directly influence product roadmaps, drive remediation across engineering teams, and ultimately keep millions of users safe.

Key Responsibilities

• Lead end‑to‑end penetration tests on bolthires devices, cloud services, and hybrid solutions, delivering high‑fidelity proof‑of‑concept exploits that demonstrate real‑world impact.
• Design and execute advanced vulnerability research using a toolkit that includes symbolic execution engines, fuzzers, static analysis platforms, custom scripts, and emerging machine‑learning techniques.
• Perform deep source‑code and binary analysis, combining automated scanners with manual inspection to uncover subtle logic flaws, insecure cryptographic implementations, and privilege‑escalation paths.
• Develop threat models for new product initiatives, mapping attack surfaces, identifying potential adversarial techniques, and providing strategic mitigation recommendations.
• Collaborate closely with builder teams (software, hardware, and product owners) to triage findings, prioritize remediation efforts, and track security improvements throughout the software development lifecycle (SDLC).
• Author comprehensive technical reports that detail vulnerability discovery, exploitation steps, business impact, and remediation guidance for both engineering stakeholders and senior leadership.
• Mentor junior pentesters and foster a knowledge‑sharing culture by organizing brown‑bag sessions, writing internal tooling documentation, and contributing to open‑source security projects where appropriate.
• Automate repetitive testing workflows by building reusable frameworks, bolthires/CD security integrations, and custom plugins that reduce manual effort and increase test coverage.
• Stay ahead of emerging threats by monitoring security research trends, participating in Capture‑The‑Flag (CTF) competitions, contributing to vulnerability databases (CVE/Bounty), and publishing findings at conferences or in internal whitepapers.

Essential Qualifications

• Minimum 5 + years of hands‑on experience identifying, exploiting, and remediating vulnerabilities in web applications, RESTful APIs, and service‑oriented architectures.
• Demonstrated expertise in hardware security fundamentals such as secure boot, JTAG/UART/SPI/I²C interfaces, firmware extraction, Trusted Execution Environments (TEE), side‑channel analysis, and privilege‑escalation tactics.
• Proven track record of threat modeling complex, multi‑component systems and proposing mitigations that balance security with product timelines.
• Hands‑on familiarity with major cloud platforms—preferably AWS—including IAM, Lambda, API Gateway, S3, and serverless security considerations.
• Academic background: Bachelor’s degree in Computer Science, Electrical Engineering, or related discipline, or equivalent professional experience.
• Active participation in CTF competitions, CVE research, or Bug Bounty programs with publicly disclosed findings or recognitions.
• Experience leveraging Machine Learning (ML) techniques for security testing, such as anomaly detection, automated exploit generation, or intelligent fuzzing.
• Publication record in security venues—conference talks, whitepapers, blog posts, or internal knowledge‑sharing artifacts. Preferred (But Not Mandatory) Skills
• Proficiency in programming languages such as Python, Go, C/C++, Rust, or JavaScript for building custom exploit frameworks and automation scripts.
• Familiarity with security testing tools like Burp Suite, OWASP ZAP, Metasploit, AFL, LibFuzzer, Angr, or Binwalk.
• Experience with container security (Docker,

Apply tot his job Apply To this Job