Principal Offensive Security Engineer
Job in
San Francisco, San Francisco County, California, 94199, USA
Listed on 2026-06-26
Listing for:
Postman
Full Time
position Listed on 2026-06-26
Job specializations:
-
IT/Tech
Cybersecurity, Information Security, Security Manager, IT Consultant
Job Description & How to Apply Below
Requirements
- Experience:
Minimum of 8 years in offensive security (penetration testing, red teaming, vulnerability research, or exploit development) with at least 4 years in a people management or leadership capacity, including experience managing managers or tech leads - AI/ML Offensive Depth:
Demonstrated experience attacking AI/ML systems — whether through adversarial ML research, LLM red teaming, agentic system exploitation, or building offensive tooling for AI targets. You understand the difference between prompt injection and indirect prompt injection, know what a tool-use confusion attack looks like, and can articulate why RAG poisoning is a supply chain problem - Strategic Acumen:
Demonstrated ability to build and scale an offensive security program from the ground up or significantly mature an existing one. Experience setting OKRs, managing budgets, and presenting to executive leadership - Adversarial Mindset:
Deep understanding of the modern threat landscape and how to apply it to cloud-native, API-first environments — extended to AI-native architectures - AI Offensive Tooling Fluency:
Hands-on experience with AI-augmented pentesting tools (e.g., PentestGPT, Horizon3, custom LLM-based fuzzing) and purpose-built AI red team frameworks (e.g., Microsoft PyRIT, Garak, custom harnesses). Understanding of how to manage non-deterministic AI outputs in both offensive tooling and target systems - Pragmatic Storytelling:
You believe that a well-executed exploit demo is more effective than a 50-page PDF. You can present a complex exploit chain — including an AI-specific attack path — to a room of developers in a way that is inspiring, not condescending - Engineering Fluency:
You prefer building an automated "exploit-as-code" validator over performing the same manual test twice. You can architect evaluation harnesses and adversarial test suites for ML models - (Desirable) Industry Presence:
Track record of contributions to the offensive security or AI security community — conference talks (DEF CON, Black Hat, BSides, RSA), tool releases, published research, CVEs, or active participation in OWASP, MITRE, or similar working groups - (Desirable)
Certifications:
OSCP, OSCE, OSEP, GXPN, GPEN, CRTP, or equivalent hands-on offensive certifications. AI/ML-specific credentials (e.g., GIAC GMAI) are a differentiator - (Desirable) Cloud Security Expertise:
Deep familiarity with AWS security primitives, cloud-native attack paths, and container/Kubernetes exploitation - (Desirable) API Security Depth:
Experience with API-specific attack methodologies — BOLA, BFLA, mass assignment, GraphQL abuse, gRPC exploitation — reflecting Postman's core product domain - (Desirable) Compliance Awareness:
Familiarity with how offensive security outputs map to SOC 2 Type II, ISO 27001, ISO 42001, FedRAMP, or CMMC control evidence. You don't run GRC, but you know how to feed it
- The Information Security organization at Postman operates across three pillars:
Governance Risk & Compliance (GRC), Product Security, and Security Operations - We are a team of builders, not checkbox-checkers
- We hold active SOC 2 Type II, ISO 27001, ISO 42001, and HIPAA compliance postures, and we are pursuing FedRAMP High and CMMC Level 2 authorization
- Our security stack includes Wiz, Sentinel One, Okta, Jamf, and 1
Password, and we operate across a multi-cloud environment - The Offensive Security team is the "red" pulse of this organization
- We don't just find bugs — we simulate the adversary to ensure our defenses hold up under real-world pressure
- We focus on continuous security validation, AI-augmented adversary emulation, and offensive AI security research at Postman's scale
- We are looking for a Senior Manager, Offensive Security who is as much a strategist as they are a hacker
- You will own the strategic direction of Postman's offensive security program — including building out a dedicated Offensive AI Security capability from the ground up — and operate as a key partner to CISO leadership on threat-informed defense strategy
- This is not a role where you inherit a mature program and keep the lights on
- You will shape what offensive security looks like at Postman for the next…
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
Search for further Jobs Here:
×