Principal Offensive Security Engineer
Listed on 2026-07-13
-
IT/Tech
Cybersecurity, AI Engineer (Applied/Software)
Opportunity
We are looking for a Principal Offensive Security Engineer who is as much a strategist as they are a hacker. You will own the strategic direction of Postman's offensive security program — including building out a dedicated Offensive AI Security capability from the ground up — and operate as a key partner to CISO leadership on threat‑informed defense strategy.
This is not a role where you inherit a mature program and keep the lights on. You will shape what offensive security looks like at Postman for the next three years, with a specific mandate to make us an industry leader in adversarial testing of AI systems, agentic workflows, and LLM integrations.
You will lead a team that doesn't just "report" vulnerabilities but "demonstrates" them, using live exploits to build a deep, visceral security culture across the entire engineering organization.
What You’ll Do Strategy & Program Ownership- Set Strategic Direction: Define and execute the multi‑year offensive security roadmap, aligning Red Team, Purple Team, and continuous validation capabilities to Postman's evolving threat landscape and business priorities.
- Build the Offensive AI Security Practice: Stand up and scale a dedicated offensive capability targeting AI/ML systems. This includes adversarial testing of LLM integrations, agentic workflows, RAG pipelines, and model‑serving infrastructure. You will define the methodology, tooling, and engagement frameworks from the ground up.
- Develop AI Threat Intelligence: Track and operationalize the rapidly evolving AI threat landscape — OWASP LLM Top 10, MITRE ATLAS, emerging attack research on agentic systems — translating external research into internal red team playbooks and detection hypotheses for Security Operations.
- Red Team AI Systems at Depth: Go beyond checkbox assessments. Lead structured adversarial campaigns against Postman's LLM deployments, AI agents, and model pipelines — targeting prompt injection, tool‑use abuse, data exfiltration via context manipulation, training data poisoning, model manipulation, and trust boundary violations in multi‑agent architectures.
- Architect Autonomous Testing: Design and deploy AI‑based penetration testing platforms and autonomous agents to perform continuous security validation across our API ecosystem.
- Continuous Validation: Move from manual pentesting to Continuous Offensive Security, integrating automated breach and attack simulation into CI/CD pipelines, including AI model deployment pipelines.
- Lead & Cultivate: Build, manage, and scale a high‑performing team of offensive security engineers — including specialized AI red team operators — providing mentorship, career development, and succession planning.
- Recruit for the Future: Identify and hire talent at the intersection of offensive security and AI/ML — a rare and competitive talent market. Build a pipeline that includes internal development paths for existing security engineers to cross‑skill into AI red teaming.
- Drive Security Culture through "The Show": Lead live "Exploitable Demonstrations" — technical proof‑of‑concepts presented to engineering teams that show exactly how a vulnerability could be leveraged, turning abstract risks into tangible learning moments. Place particular emphasis on demystifying AI‑specific attack vectors for non‑ML engineers.
- Executive Communication: Translate offensive findings into business‑level risk narratives for executive leadership, the board, and external stakeholders. Partner with GRC on audit evidence and compliance posture derived from offensive operations, including AI‑specific risk frameworks (ISO 42001).
- Cross‑Functional Partnership: Operate as a senior technical leader across Product Security, Security Operations, and Engineering, ensuring offensive findings — especially from AI red team engagements — drive measurable improvements in detection, response, and architecture.
- Experience: Minimum of 8 years in offensive security (penetration testing, red teaming, vulnerability research, or exploit development) with at least 4 years in a people management or leadership capacity,…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).