Senior Application Security Engineer (Offensive / Red Team)

Shutterfly is a company that makes life’s experiences unforgettable, and they are seeking a Senior Application Security Engineer (Offensive / Red Team) to join their team. In this role, you will lead Red Team engagements against critical applications, collaborate with the Blue Team, and help enhance the overall security posture through offensive security practices.

Responsibilities:

• Plan and lead offensive engagements against Shutterfly's applications and supporting infrastructure using established offensive and testing techniques — manual web penetration testing, exploitation, fuzzing, and adversary emulation supported by industry-standard offensive tooling — and coordinate with third-party testers when engagements call for it
• Work hand-in-hand with the Blue Team throughout every engagement. Share tactics, techniques, and procedures in real time, validate and improve detection and alerting coverage, run collaborative exercises, and convert offensive findings into concrete defensive improvements
• Augment conventional offensive techniques with AI and LLM-based tooling to accelerate and extend offensive and testing work — reconnaissance, payload and test-case generation, code and configuration review, and exploitation
• Maintain a working understanding of how threat actors are weaponizing AI, and fold that knowledge into engagements and defensive recommendations to keep pace with a rapidly changing threat landscape
• Manage the bug bounty program end to end — triage, impact assessment, risk scoring (CVSS), locating vulnerable code, providing mitigation guidance, thorough re-testing, and refining program policy and scope as needed
• Identify, triage, and drive remediation of application vulnerabilities through manual testing and exploitation, escalating systemic issues to the appropriate engineering teams
• Lead threat modeling exercises and perform risk assessments for new and existing applications, using offensive insight to prioritize the risks that matter most
• Collaborate with incident response and Blue Team partners to investigate application-related security incidents, applying offensive expertise to scope, reproduce, and understand attacker activity
• Help define and reinforce secure development practices, including code reviews and integration of security checks into the CI/CD pipeline
• Perform and lead security reviews of critical PRs and code changes, and review code in most major languages
• Partner with engineering and architecture teams to advise on secure systems and applications design, ensuring security is built in from the ground up
• Serve as a top technical resource to engineers across the organization. Help them reproduce vulnerabilities, understand impact, document issues, and validate the effectiveness of fixes
• Mentor junior security engineers and developers on offensive techniques, secure coding practices, and security principles. Build relationships with stakeholders and business leaders across the organization
• Work closely with product, engineering, DevOps, defensive security, and compliance teams to align security with business goals
• Maintain up-to-date knowledge of relevant offensive techniques, threats, mitigations, security best practices, and the evolving role of AI in both offensive operations and adversary activity
• Make effective use of the existing security tooling stack (e.g., SAST, SCA, DAST, IAST) to support offensive and defensive work

Requirements:

• Bachelor's degree in computer science, cybersecurity, or a related technical field, or comparable hands-on experience in lieu of a degree
• Demonstrated experience leading or performing offensive security work, such as web application penetration testing or Red Team engagements, with hands-on proficiency in conventional offensive and testing techniques and industry-standard offensive tooling
• Hands-on experience using AI/LLM tools for offensive security or testing, with an understanding of how threat actors are leveraging AI in a rapidly evolving threat landscape
• Proficient in one modern programming language (preferably Java) and able to review code in most major languages
• Strong analytical and problem-solving abilities with a risk-based security approach
• Advanced user of Burp Suite Pro; bonus if you have created custom extensions in Java or Python or have used or modified existing extensions
• Excellent communication and collaboration skills, with the ability to work across offensive and defensive teams, IT, engineering, and business stakeholders
• Experience running Purple Team exercises or otherwise collaborating directly with defensive/Blue Team functions to improve detection and response
• Full stack web development experience within an active security program
• Experience managing a bug bounty program
• A security certification that demonstrates proficiency in offensive security, network/web/mobile/AD assessments, secure coding, and professional report creation (for example: OSCP, OSEP, CRTO, OSWA, OSWE, GWAPT, GWEB)
• Submitted reports to bug bounty programs or VDPs, and you've found a CVE along the way
• Strong command-line and scripting skills (bash, zsh, Python) on Linux and Mac
• Enjoy attending security conferences and occasionally participate in CTFs
• Spend time on cyber security training platforms (HackTheBox, TryHackMe)
• Have worked with engineering teams to develop secure code libraries
• Capable of rapidly learning and integrating emerging tools and platforms with minimal supervision