Location: Remote (India)
Stipend: ₹20,000/month
3-month internship → Full-time offer
About the Role
Work directly with our founding team to build APS (Autonomous Pentesting Solution), an AI-native platform redefining how security testing is done at scale. This isn't a training role. We want practitioners who've found real bugs in real systems and can help us teach AI to do the same.
What You'll Work On
- Web application pentesting (primary focus) — deep, manual testing of complex web apps; business logic flaws, auth bypasses, injection chains, multi-step exploitation
- API security testing — REST/GraphQL/gRPC; broken object-level auth, mass assignment, JWT attacks, API enumeration
- Mobile app pentesting — Android/iOS; reverse engineering, intercepting encrypted traffic, insecure storage, deeplink abuse
- Bug bounty-style research — hunting for novel attack paths, chaining low-severity issues into critical findings
- APS development — contribute attack patterns, validate AI-generated findings, and stress-test automation workflows
- Vulnerability documentation — detailed technical writeups with reproduction steps, impact analysis, and remediation guidance
- PoC development — building working exploits and test cases for identified vulnerabilities
Who We're Looking For
Must-haves:
- Proven web application pentesting experience — OWASP Top 10 is the floor, not the ceiling
- Active bug bounty hunter with at least one public acknowledgment (Hall of Fame, CVE credit, or paid bounty on HackerOne/Bugcrowd/Intigriti)
- Solid understanding of API security — able to manually test and exploit API vulnerabilities beyond what scanners find
- Hands-on with Burp Suite (including extensions), and comfortable scripting in Python for custom tooling
- Able to write clear, professional vulnerability reports that a developer can act on
Strong differentiators:
- Published CVEs or responsible disclosure credits
- Hall of Fame listings from recognized programs
- Experience with mobile app testing (Android preferred — APK reversing, Frida, traffic interception)
- CTF experience (especially web categories — SSRF, deserialization, XXE, prototype pollution)
- Certifications: OSCP, BSCP, CPTS, or equivalent hands-on certs
- Prior experience integrating security tooling with Python automation
What You'll Gain
- Direct mentorship from founders with deep security and AI backgrounds
- Hands-on role building a production-grade autonomous pentesting platform — your work ships to real customers
- Exposure to cutting-edge LLM/AI integration in offensive security workflows
- Fast-track to a full-time offer with market salary
Interview Process
- Founder Call (30 min) — background, bug bounty stories, culture fit
- Technical Assessment (24h) — real-world web app challenge; we want to see your methodology, not just your answer
- Security Lead Round (45 min) — deep dive into your solution, past findings, and how you think about automation
#bugbounty #vapt #redteaming #cybersecurity
