Security Researcher

Truffle Hog is a popular open source tool used by security researchers all over the world to find leaky API keys and responsibly disclose them to affected companies. This provides income through bug bounty platforms like Hacker One to individuals that may otherwise have a hard time finding employment. This also prevents breaches from occurring, which can be very costly for companies to resolve.

When we founded Truffle Security Co. in February of 2021, we committed to continue to grow a community with security researchers around the world, and continue to provide free and open resources to support those that make the world more secure. We have a strong commitment to open source and to the community. We’re looking for help supporting our mission to prevent leaking credentials and build the best products for machine identity protection.

At Truffle, you’ll have the opportunity to join a fully remote, collaborative team contributing to meaningful advancements in cybersecurity.

In this highly visible, community-focused position, you will spearhead open-source security research projects and share your findings with the broader security community via blog posts, videos, webinars, conference talks, and open-source code contributions. By highlighting real-world security vulnerabilities, you’ll help amplify the Truffle Security brand and inspire organizations to better secure themselves.

Below are blog posts to give you a sense for our style of research:

Working closely with our Security Research team lead, you'll have the opportunity to select and run research projects that align with industry trends, emerging threats, product features, and company goals. Your expertise in application security and one other information security domain will drive the creation of engaging, credible content that resonates with both technical and non-technical audiences.

We’re looking for candidates in the U.S. to align with conference schedules and time zone collaboration, but we’re also open to applicants based in Canada and Europe who bring strong relevant experience and can maintain sufficient working hour overlap with our U.S.

-based team.

• Conduct cutting-edge open-source security research in areas broadly related to secrets (application security, cloud security, Dev Sec Ops , etc.).
• Create engaging content to showcase research findings, including blog posts, technical documentation, videos, and whitepapers.
• Present at conferences and industry events to share your discoveries, represent Truffle Security, and build community interest/trust.
• Contribute to open source by sharing research-driven improvements or small proof-of-concept tools to Truffle’s projects.
• Collaborate with engineering to share insights and help track down the occasional bug.
• Maintain a positive, respectful, and ethical attitude in all external and internal interactions. There's no room for egos or “gotchas” when dealing with security research.

• 3+ years of experience in application security
  , or another category:
  • Cloud Security
  • Dev Sec Ops
  • Data Analytics
  • Blue Team
  • ......Something else? Surprise us!
• Background in security research – Ideally, you have experience investigating security issues (through professional roles, side projects, or open-source contributions)
• Public-facing research – Ideally, you’ve shared findings externally (blog posts, talks, etc.), or you’re excited to build that muscle here
• Excellent technical writing skills that demonstrate clarity, depth, and accuracy
• Intermediate programming skills – your code doesn’t need to be production-ready, but you should be comfortable prototyping and building proof-of-concept tools
  • We work primarily in Python and Golang
• Familiarity with LLM tools and how to effectively incorporate them into research and programming workflows
• Strong collaboration abilities – You’re equally good at respectfully asking for help and humbly providing it
• Ability to juggle multiple long-term research projects – We often run 5 or 6 projects simultaneously without compromising quality or timelines
• High ethical standards and integrity – We find many security vulnerabilities in our…