Senior Offensive Security Engineer

We are hiring a Senior Offensive Security Engineer to build, run, and mature BitGo's offensive security program end-to-end across AI, Web2, and Web3. This is not a point-in-time pentesting role. You will own program strategy, assessment execution, tooling and automation (including AI-powered offensive agents), reporting, remediation validation, retesting, and continuous improvement — moving BitGo from periodic external tests to an always-penetration-testing posture.

• →Own the offensive security program across BitGo's applications, APIs, cloud infrastructure, signing services, wallet-adjacent systems, identity pathways, and AI-enabled workflows.
• →Run deep, hands-on assessments of Web3 and digital asset systems — transaction signing pipelines, MPC/TSS implementations, HSM integrations, multi-party approval workflows, smart-contract-connected services, and chain-facing infrastructure.
• →Lead offensive testing of AI and agentic systems — prompt injection, unsafe tool use, data leakage, agentic identity/credential abuse, LLM routing flaws, and the OWASP Top 10 for LLM Applications.
• →Build continuous automated validation pipelines that run 24/7, leveraging autonomous AI agents for breadth while you focus on depth, creative adversary simulation, and novel attack chains.
• →Integrate offensive testing into CI/CD so every significant deployment to critical systems is validated before it reaches production.
• →Run purple-team exercises simulating nation-state TTPs and insider-threat scenarios, and progress from transparent to semi-stealth to full red team operations as the program matures.
• →Drive remediation and retesting with Engineering, AppSec, Cloud Security, Detection Engineering, and SecOps — and translate recurring patterns into durable architectural improvements.
• →Serve as the internal expert on offensive risk in launch reviews, design reviews, and strategic initiatives, with authority to hold launches pending security validation of critical systems.

• 5+ years in offensive security, red teaming, advanced penetration testing, adversary simulation, or security research in modern production environments. We will consider less with an exceptional track record (published CVEs, top bug bounty results, CTF rankings, Code4rena/Sherlock audit placements, Black Hat / DEF CON / DARPA research).
• Proven experience building or materially maturing an internal offensive security program — defining methodology, building tooling, and driving strategy — not just executing assessments.
• Digital asset security depth or strong demonstrated aptitude — custody infrastructure, transaction signing systems, wallet security, key management, MPC/TSS, or blockchain security research.
• Strong software engineering capability in Python, Go, TypeScript, or similar, including building custom offensive tooling.
• Cloud-native fluency across AWS, containers, Kubernetes, IAM, secrets management, and CI/CD security.
• Clear, credible written and verbal communication with engineers and senior leadership, with high judgment and a bias toward reducing real-world risk.

• OSCP, OSWE, OSEP, GPEN, CPTS, or equivalent practical capability.
• Experience assessing AI / agentic systems; proficiency with PyRIT, Garak, Promptfoo, or similar.
• Experience building or deploying autonomous AI agents for offensive testing.
• Browser security, modern web exploitation, exploit development, or reverse engineering background.
• Open-source security contributions, published research, or conference talks (Black Hat, DEF CON, blockchain security venues).
• Background in high-assurance financial, fintech, or regulated environments.

This is a career-defining opportunity. You will build an offensive security program from scratch at one of the most critical infrastructure providers in digital assets — with a direct line to the Deputy CISO, visibility to the CEO, and a path to leading a growing team during the most significant security transformation this industry has seen in a decade.