Sr Product Security Engineer / Pen Tester (Hybrid - Pleasanton, CA)

About the position Responsibilities • Lead penetration testing engagements focused on payment abuse, transaction manipulation, and business logic exploitation. • Design and execute automated attack simulations to test our defenses against: Carding and BIN attacks • Credential stuffing and account takeovers • Checkout and payment flow abuse • API-level enumeration and fraud • Build custom tooling and frameworks to mimic the behavior of real-world fraudsters and cybercriminals. • Partner with fraud engineering, product security, and risk teams to identify weak points in our controls, detection systems, and architecture. • Conduct threat modeling and red teaming exercises related to payments, authentication, and user account abuse. • Document findings in technical reports with clear risk impact, exploitability, and remediation guidance. • Mentor junior testers and contribute to a culture of security innovation and continuous improvement. Requirements • 7+ years of experience in offensive security, penetration testing, or red teaming. • Strong background in payment systems, financial fraud tactics, and transaction-level attack surfaces. • Fluency in scripting and automation (e.g., Python, JavaScript, Go, Bash) to simulate attacker workflows at scale. • Familiarity with tools like Burp Suite Pro, Selenium, Scapy, ffuf, SQLMap, Metasploit, and bot automation frameworks. • In-depth knowledge of fintech technologies (e.g., tokenized payments, card vaulting, 3DS, ACH, real-time payment APIs). • Solid grasp of common attacker techniques: carding, fake identity generation, bypassing rate limits, evading fraud filters, and abusing web/app logic. • Strong communication skills for explaining findings to both technical and non-technical audiences. • Certifications: OSCP, OSEP, GWAPT, GPEN, GCPN, GXPN, GX-PT, CPSA/CRSA by CREST, CHECK, or TIGER. Nice-to-haves • Prior experience in a fintech, digital banking, or payment gateway environment. • Familiarity with OWASP Automated Threats, PCI DSS, MITRE ATT&CK for Financial Services, or fraud detection systems. • Experience building or testing real-time risk scoring engines and fraud defense pipelines. Benefits • 401k with employer match • medical • dental • vision • 12 paid holidays in the year 2025 • 1 hour of sick pay accrual for every 30 hours worked • parental leave • life insurance • disability insurance • accident and illness insurance • health and dependent care flexible spending accounts • wellness benefits • flexible time off for all full-time employees Apply tot his job