Senior Vulnerability Researcher; 5G & Protocol Security

Job Title:

Senior Vulnerability Researcher (5G & Protocol Security)

Job Category:
Engineering

Time Type:
Full time

Minimum Clearance Required to Start:
Top Secret

Employee Type:
Regular

Percentage of

Travel Required:

Up to 10%

Type of Travel:
Continental US

We are seeking a Senior Vulnerability Researcher with deep expertise in telecommunications security, 3

GPP protocols, and advanced reverse engineering. This role is ideal for a specialist who thrives on technical ambiguity and enjoys probing the 5G stack for critical flaws. You’ll play a key role in evaluating the security and robustness of proprietary telecom systems—reverse‑engineering "closed-box" binaries, developing stateful fuzzers, and uncovering vulnerabilities that contribute directly to national cybersecurity efforts.

• Develop and deploy custom stateful fuzzers for 3
  
  GPP protocols (e.g., NGAP, HTTP/2, PFCP, GTP-U) to identify crashes and stability issues in the 5G Core.
• Apply advanced binary analysis to reverse‑engineer proprietary 5G baseband firmware and Network Function Binaries where source code is unavailable.
• Utilize concolic and symbolic execution (e.g., Angr, Manticore) to map complex state machines and uncover logic flaws in 5G session management and authentication flows.
• Create reliable Proof-of-Concept exploits for discovered vulnerabilities in critical components such as AMF, SMF, or UPF.
• Investigate edge‑case behaviors and low‑level protocol signaling to reveal attack surfaces in proprietary telecom and embedded systems.
• Develop custom tools and scripts in Python3 to automate protocol decoding, firmware unpacking, and analysis workflows.
• Document findings clearly and translate technical protocol complexity into actionable reports for security and engineering teams.

Required:

• An active Top Secret clearance.
• 7+ years of professional experience in vulnerability research, protocol analysis, or reverse engineering.
• Mastery of C/C++ and high proficiency in Python3 for automation and tool development.
• Deep understanding of 5G/4G architecture and 3
  
  GPP security standards.
• Proven track record of reconstructing proprietary binary protocols and analyzing "closed-box" telecom equipment.
• Hands-on experience with disassembly and decompilation tools (e.g., IDA Pro, Ghidra, Binary Ninja) and hardware‑assisted debugging.
• Detailed understanding of networking and telecom protocol stacks, including signaling, control plane, and data plane components.
• Experience in exploit development and vulnerability discovery in embedded or telecom environments.

• An active SCI clearance is highly desired.
• Familiarity with radio access network (RAN) components and baseband security.
• Experience with Linux kernel internals or RTOS environments used in telecom hardware.
• Ability to build scalable fuzzing infrastructure and analysis tools in a team setting.
• Background in hardware-level analysis, including firmware extraction and inspecting hardware state via JTAG or UART.

$113,200 - $237,800

CACI is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, pregnancy, sexual orientation, age, national origin, disability, status as a protected veteran, or any other protected characteristic.