Description
We are looking for a Lead Penetration Testing Engineer to execute deep, high-impact penetration testing across our applications, platforms, cloud infrastructure, and enterprise environments, including AI-powered features and systems.
This role is highly technical, hands-on, with a strong focus on real exploitation, attack chaining, risk impact, and with a hacker mindset, rather than checklist-driven testing. You will lead complex engagements end to end, ensuring findings are translated into concrete engineering improvements and mitigation.
In addition to execution, you will help shape the penetration testing strategy, scope engagements effectively, mentor other testers, and act as a trusted technical partner to engineering and security leadership.
Key Responsibilities
Lead and execute advanced penetration tests across:
Web applications and APIs
Cloud and hybrid infrastructure (k8, docker etc)
Identity, authorization, and trust boundaries
Internal and external enterprise attack surfaces
AI / ML-enabled systems (e.g., LLM-backed applications, Agentic AI)
Identify, exploit and demonstrate realistic business and risk impact
Perform advanced penetration testing activities, including:
Manual exploitation beyond automated tooling
Business logic and authorization abuse
Privilege escalation
Abuse of identity, access, and trust relationships
AI-specific offensive testing, including prompt injection, indirect prompt injection, and abuse of AI integrations
Own penetration testing engagements end-to-end via:
Scoping
Test execution
Risk assessment and prioritization
Clear reporting and remediation guidance
Develop deep technical understanding of systems and products to uncover systemic weaknesses, not just isolated bugs, including weaknesses introduced by AI-driven components.
Partner closely with:
Engineering teams to explain root causes and exploitation paths
Security architects and AppSec teams to influence design and guardrails
Detection & Response teams where findings have monitoring or alerting implications
Produce high-quality, technically detailed reports that clearly explain Exploitation path, missing /lacking Security Controls and Mitigation solutions
Contribute to tooling, automation, and testing frameworks where it improves scale or consistency (without replacing deep manual testing).
Required Qualifications
Deep hands-on experience in penetration testing, offensive security, or application security testing.
5+ years of experience in penetration testing, offensive security, and vulnerability research.
Proven experience leading complex penetration testing engagements in production or production-like environments.
Strong understanding of:
Application security vulnerabilities and attack chains
Identity and access control failures
Cloud security and hybrid environments
Common defensive controls and their real-world limitations
Security risks specific to AI and LLM-based systems
Hands-on experience with:
Manual exploitation and vulnerability chaining
Custom scripts, payloads, or proof-of-concept development
Advanced use (and limitation awareness) of automated testing tools
Testing AI-powered applications and APIs
Ability to clearly articulate:
Exploitation mechanics and impact
Risk in business and engineering terms
Practical, prioritized remediation strategies
Strong communication skills and experience working directly with engineers, security teams, and leadership.
For roles in San Francisco and Los Angeles: Pursuant to the San Francisco Fair Chance Ordinance and the Los Angeles Fair Chance Initiative for Hiring, Salesforce will consider for employment qualified applicants with arrest and conviction records.