X- Offensive Research; XOR Vulnerability Researcher
Listed on 2026-07-06
-
IT/Tech
Cybersecurity
X-Day Offensive Research (XOR) Vulnerability Researcher
- Assessments & Exercises
As an X-Day Offensive Research (XOR) Vulnerability Researcher
- Assessments & Exercises at JPMorgan
Chase in the Cybersecurity & Technology Controls line of business, you will contribute significantly to enhancing the firm's cybersecurity or resiliency posture by using industry-standard assessment methodologies and techniques to proactively identify risks and vulnerabilities in people, processes, and technology. In this role, you will design and deploy risk-driven assessments (or manage a highly-skilled team that does) and inform analysis to clearly outline root causes.
We are seeking a dedicated, self-motivated vulnerability researcher to tackle the complex demands of our mission. Working closely with fellow researchers and defense teams, you will investigate challenging targets, uncover novel attack surfaces, and develop innovative solutions that enhance our security posture. The ideal candidate combines deep technical curiosity with a strong background in reverse engineering, static analysis, and dynamic analysis, and thrives in a highly collaborative, research-driven environment.
Job Responsibilities
- Design and execute testing and simulations – such as penetration tests, technical controls assessments, cyber exercises, or resiliency simulations – and contribute to the development and refinement of assessment methodologies, tools, and frameworks to ensure alignment with the firm's strategy and compliance with regulatory requirements.
- Evaluate controls for effectiveness and impact on operational risk, as well as opportunities to automate control evaluation.
- Conduct in-depth vulnerability research and exploit development across a broad range of categories, including operating systems, mobile devices, web applications, browsers, edge devices, and enterprise software.
- Reverse engineer binaries using tools such as IDA Pro, Ghidra, or Binary Ninja to identify novel attack surfaces and develop proof-of-concept exploits.
- Use common vulnerability research toolsets such as fuzzers, disassemblers, debuggers, and code browsers for static and dynamic analysis.
- Perform N-day vulnerability analysis, patch diffing, and proof-of-concept exploit validation.
- Collaborate with cross-functional teams to develop comprehensive reports – including detailed findings, risk assessments, and remediation recommendations – supporting vulnerability triage, patch prioritization, and the sharing of indicators of compromise (IOCs) in service of the firm's mission requirements.
- Leverage threat intelligence and security research to stay ahead of emerging threats, vulnerabilities, industry best practices, and regulations, applying this knowledge to enhance the firm's assessment strategy and risk management, and engaging with peers and industry groups that share threat intelligence analytics.
- Document research findings, proof-of-concepts, and technical workflows to enable knowledge sharing and repeatability.
Required Qualifications, Capabilities, and Skills
- 5+ years of experience in cybersecurity or resiliency, with demonstrated exceptional organizational skills to plan, design, and coordinate the development of offensive security testing, assessments, or simulation exercises.
- Track record of discovered vulnerabilities (CVEs) in high-profile targets in at least one of the following categories: operating systems, mobile devices, web applications, browsers, edge devices, or enterprise software.
- Proven hands-on experience in vulnerability research, proof-of-concept exploit development, coordinated vulnerability disclosure, and mitigating security vulnerabilities in open-source projects.
- Expertise in advanced analysis frameworks leveraging symbolic execution techniques and dynamic binary instrumentation to identify, triage, and exploit complex software vulnerabilities.
- Hands-on proficiency exploiting complex vulnerability classes – including use-after-free, double free, type confusion – and applying advanced exploitation techniques such as heap spraying and controlled memory corruption to achieve reliable code execution.
- Strong understanding of the internals of at…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).