Conduct original, hands-on research into application-level, protocol-level, and ecosystem-level vulnerabilities in 1Password’s products and the broader identity security landscape; You will discover, validate, and document novel vulnerability classes and attack chains.
Collaborate with peers to develop proof-of-concept exploits and attack demonstrations that validate research findings, illustrate real-world risk, and support engineering teams in understanding and prioritizing remediation efforts.
Investigate security risks at the intersection of AI and identity, including prompt injection, data poisoning, and other AI-based attack vectors.
Author high-quality research publications, white papers, blog posts, and technical advisories; You will have the opportunity to present findings on podcasts, webinars, and at major security conferences that contribute to 1Password’s reputation as a thought leader in identity security.
Engage actively with the global security research community through responsible disclosure, collaborative research, open-source contributions, and participation in industry forums/events.
Partner with Product, Engineering, and Detection teams to translate research findings into actionable security improvements. Provide evidence-based technical guidance that informs product direction and security strategy.

4+ years of progressive experience in security research, offensive security, or vulnerability research.
Bachelor’s degree in Computer Science, Computer Engineering, Information Security, or a related field; or equivalent practical experience.
Proven track record of discovering and responsibly disclosing original vulnerabilities, ideally with published CVEs, advisories, or equivalent publicly-recognized findings.
A track record of hands-on experience in vulnerability research, exploit development, or advanced adversarial simulation techniques.
Sufficient domain experience in two or more of the following domains: application security, Linux system internals, Windows system internals, macOS system internals, AI/Agentic security, Web application security, or Mobile application security.
Familiarity with prompt injection, data poisoning, AI design architecture, AI-based attacks, and related vectors.
Proficiency in one or more programming languages such as Go, Rust, Python, Ruby, JavaScript/TypeScript, or equivalent modern languages, with the ability to read and audit code for vulnerabilities.
Consistent history of handling vulnerabilities and disclosures responsibly while engaging constructively with vendors and the research community.
Demonstrable written and verbal communication skills, with a track record of producing technical publications, blog posts, and/or conference talks that clearly convey complex security topics.

Senior Security Researcher

Key skills