Staff Security Engineer, Product

Rogo is building Wall Street's first true AI banker, aiming to empower finance professionals with AI that offers speed, accuracy, and insight. As a Staff Security Engineer, you will focus on offensive security practices, conducting penetration tests and building security automation to protect Rogo's AI-driven platform and infrastructure.

Responsibilities:

• Conduct hands-on penetration testing and red team assessments against Rogo's applications, APIs, AI/ML pipelines, and cloud environments on a continuous basis, not just during annual engagements
• Build agentic security tooling that finds, validates, and patches vulnerabilities end-to-end, minimizing manual intervention across code review, dependency management, and IaC
• Develop and maintain custom offensive tooling, exploit chains, and attack simulations tailored to Rogo's AI platform and architecture
• Build and operate automated security testing and remediation pipelines that scale offensive coverage without linearly scaling headcount
• Perform deep adversarial testing of AI-specific attack surfaces: prompt injection, model manipulation, data poisoning vectors, agent-based workflows, and tenant isolation boundaries
• Own vulnerability research and bug hunting across the product, go beyond scanner output to find the logic flaws, auth bypasses, and chained exploits that automated tools miss
• Design and execute threat modeling sessions with engineering teams, translating offensive findings into concrete, prioritized remediation that ships in the same sprint
• Build attack simulation environments and continuously validate security controls against real-world TTPs and customer-driven pen test scenarios
• Contribute directly to backend codebases, fix critical vulnerabilities, harden authentication and authorization flows, and build security primitives into the platform
• Lead purple team exercises: collaborate with infrastructure and engineering teams to test detection and response capabilities against your offensive scenarios
• Own the relationship with external pen test firms and drive remediation of findings to closure
• Share offensive tradecraft, emerging attack techniques, and lessons learned with engineering and leadership to continuously raise security awareness

Requirements:

• Conduct hands-on penetration testing and red team assessments against Rogo's applications, APIs, AI/ML pipelines, and cloud environments on a continuous basis, not just during annual engagements
• Build agentic security tooling that finds, validates, and patches vulnerabilities end-to-end, minimizing manual intervention across code review, dependency management, and IaC
• Develop and maintain custom offensive tooling, exploit chains, and attack simulations tailored to Rogo's AI platform and architecture
• Build and operate automated security testing and remediation pipelines that scale offensive coverage without linearly scaling headcount
• Perform deep adversarial testing of AI-specific attack surfaces: prompt injection, model manipulation, data poisoning vectors, agent-based workflows, and tenant isolation boundaries
• Own vulnerability research and bug hunting across the product, go beyond scanner output to find the logic flaws, auth bypasses, and chained exploits that automated tools miss
• Design and execute threat modeling sessions with engineering teams, translating offensive findings into concrete, prioritized remediation that ships in the same sprint
• Build attack simulation environments and continuously validate security controls against real-world TTPs and customer-driven pen test scenarios
• Contribute directly to backend codebases, fix critical vulnerabilities, harden authentication and authorization flows, and build security primitives into the platform
• Lead purple team exercises: collaborate with infrastructure and engineering teams to test detection and response capabilities against your offensive scenarios
• Own the relationship with external pen test firms and drive remediation of findings to closure
• Share offensive tradecraft, emerging attack techniques, and lessons learned with engineering and leadership to continuously raise security awareness
• Have professional penetration testing experience across web apps, APIs, cloud environments, and ideally AI/ML systems. You've written real exploits, not just run scanners
• Have built or are excited to build agentic security tooling that autonomously finds, validates, and patches vulnerabilities, minimizing human-in-the-loop remediation
• Have professional development experience in a strongly typed language (e.g., Rust, Go, Java, C++) alongside scripting languages (Python, Bash) for exploit development and tooling
• Are comfortable with Burp Suite, Nuclei, Semgrep, custom fuzzing frameworks, and building your own tools when off-the-shelf doesn't cut it
• Have integrated automated security checks into CI/CD pipelines (SCA, SAST, DAST) and understand how to give developers fast, actionable feedback without blocking velocity
• Are comfortable with infrastructure automation (Terraform, Kubernetes) and can identify misconfigurations and attack paths in AWS/GCP environments
• Communicate crisply and can collaborate effectively with developers, product teams, and leadership
• Have applied knowledge of threat modeling, cryptography fundamentals, and compliance frameworks (SOC 2, ISO 27001/42001, NIST CSF)