Senior Security Engineer - Offensive Security

Nubank was founded in 2013 to free people from a bureaucratic, slow and inefficient financial system. Since then, through innovative technology and outstanding customer service, the company has been redefining people's relationships with money across Latin America. With operations in Brazil, Mexico, and Colombia, Nubank is today one of the largest digital banking platforms and technology-leading companies in the world.

Today, Nubank is a global company, with offices in São Paulo (Brazil), Mexico City (Mexico), Buenos Aires (Argentina), Bogotá (Colombia), Durham (United States), and Berlin (Germany). It was founded in 2013 in Sao Paulo, by Colombian David Vélez, and cofounded by Brazilian Cristina Junqueira and American Edward Wible. For more information, visit www.nubank.com.br.

We are looking for curious, driven individuals who are passionate about enhancing security maturity through offensive techniques — and who think beyond their own lane. As a Senior Security Engineer on our Offensive Security team, you won't just execute tasks: you'll take ownership of identifying and mitigating security threats before they impact our customers, Nubankers, and financial assets.

Our Offensive Security team plays a strategic role at Nubank. By simulating real-world attacks, we strengthen our security posture and continuously evolve our defense strategies to stay ahead of adversaries. We think boldly, aim high, and challenge our own assumptions about what secure looks like — because the status quo is always a hypothesis to test, not a boundary to accept.

You'll work closely with security engineers, product teams, and other stakeholders to educate, guide, and support them in building security in from the ground up. This is an exciting opportunity to drive real impact across the whole organization — and to do it as an owner, not just a contributor.

We believe diverse perspectives make our security stronger. Whether your background comes from CTF competitions, bug bounty programs, traditional pentesting, or a non-linear path into offensive security — we want to hear from you.

• Driving infrastructure, web, and mobile/API pentests end-to-end;
• Crafting and executing red team operations that challenge our defenses;
• Leading vulnerability management initiatives and helping prioritize remediation;
• Building tools that enhance offensive security reviews and automate repetitive tasks;
• Partnering with development squads to ensure security issues are understood and addressed at the root;
• Contributing to architectural and logical reviews of different systems and products.

• Strong Offensive Security background, with a focus on Red Team activities;
• Deep experience across the pentest lifecycle: reconnaissance, enumeration, exploitation, post-exploitation, lateral movement;
• Strong knowledge of current and historical attack vectors, exploitation techniques, and how to remediate them;
• Ability to replicate the behavior of Advanced Persistent Threat (APT) groups;
• Experience with security frameworks such as OWASP;
• Experience working in cloud environments (AWS preferred);
• Ability to harden and improve CI/CD Pipelines and experience with SDLC;
• Solid knowledge across security domains, with strong depth in Operating Systems, Networks, Databases, and Infrastructure Architecture;
• Experience with Threat Modeling.

• Active participation in CTF competitions or Bug Bounty programs;
• Proficiency with security assessment tools such as Burp Suite, Nmap, Metasploit, SQLmap, Nessus, Censys, Shodan, or Frida.re — or any equivalent tooling that supports security validation.

São Paulo; Campinas; Belo Horizonte; Rio de Janeiro — Brazil

Hybrid 2–3 times/week: Our hybrid work model brings us to the office at least twice a week, on strategic days designed to maximize team connection and collaboration. For more details, visit https://building.nubank.com/nu-hybrid-work-model/.