Staff Security Engineer, Product

Rogo is building Wall Street's first true AI banker, empowering finance professionals with AI that delivers unparalleled speed and insight. As a Staff Security Engineer, you will conduct penetration testing and build security automation to protect Rogo's AI-driven platform and infrastructure from adversaries.

Responsibilities:

• Conduct hands-on penetration testing and red team assessments against Rogo's applications, APIs, AI/ML pipelines, and cloud environments on a continuous basis, not just during annual engagements
• Build agentic security tooling that finds, validates, and patches vulnerabilities end-to-end, minimizing manual intervention across code review, dependency management, and IaC
• Develop and maintain custom offensive tooling, exploit chains, and attack simulations tailored to Rogo's AI platform and architecture
• Build and operate automated security testing and remediation pipelines that scale offensive coverage without linearly scaling headcount
• Perform deep adversarial testing of AI-specific attack surfaces: prompt injection, model manipulation, data poisoning vectors, agent-based workflows, and tenant isolation boundaries
• Own vulnerability research and bug hunting across the product, go beyond scanner output to find the logic flaws, auth bypasses, and chained exploits that automated tools miss
• Design and execute threat modeling sessions with engineering teams, translating offensive findings into concrete, prioritized remediation that ships in the same sprint
• Build attack simulation environments and continuously validate security controls against real-world TTPs and customer-driven pen test scenarios
• Contribute directly to backend codebases, fix critical vulnerabilities, harden authentication and authorization flows, and build security primitives into the platform
• Lead purple team exercises: collaborate with infrastructure and engineering teams to test detection and response capabilities against your offensive scenarios
• Own the relationship with external pen test firms and drive remediation of findings to closure
• Share offensive tradecraft, emerging attack techniques, and lessons learned with engineering and leadership to continuously raise security awareness

Requirements:

• Conduct hands-on penetration testing and red team assessments against Rogo's applications, APIs, AI/ML pipelines, and cloud environments on a continuous basis, not just during annual engagements
• Build agentic security tooling that finds, validates, and patches vulnerabilities end-to-end, minimizing manual intervention across code review, dependency management, and IaC
• Develop and maintain custom offensive tooling, exploit chains, and attack simulations tailored to Rogo's AI platform and architecture
• Build and operate automated security testing and remediation pipelines that scale offensive coverage without linearly scaling headcount
• Perform deep adversarial testing of AI-specific attack surfaces: prompt injection, model manipulation, data poisoning vectors, agent-based workflows, and tenant isolation boundaries
• Own vulnerability research and bug hunting across the product, go beyond scanner output to find the logic flaws, auth bypasses, and chained exploits that automated tools miss
• Design and execute threat modeling sessions with engineering teams, translating offensive findings into concrete, prioritized remediation that ships in the same sprint
• Build attack simulation environments and continuously validate security controls against real-world TTPs and customer-driven pen test scenarios
• Contribute directly to backend codebases, fix critical vulnerabilities, harden authentication and authorization flows, and build security primitives into the platform
• Lead purple team exercises: collaborate with infrastructure and engineering teams to test detection and response capabilities against your offensive scenarios
• Own the relationship with external pen test firms and drive remediation of findings to closure
• Share offensive tradecraft, emerging attack techniques, and lessons learned with engineering and leadership to continuously raise security awareness
• Have professional penetration testing experience across web apps, APIs, cloud environments, and ideally AI/ML systems. You've written real exploits, not just run scanners
• Have built or are excited to build agentic security tooling that autonomously finds, validates, and patches vulnerabilities, minimizing human-in-the-loop remediation
• Have professional development experience in a strongly typed language (e.g., Rust, Go, Java, C++) alongside scripting languages (Python, Bash) for exploit development and tooling
• Are comfortable with Burp Suite, Nuclei, Semgrep, custom fuzzing frameworks, and building your own tools when off-the-shelf doesn't cut it
• Have integrated automated security checks into CI/CD pipelines (SCA, SAST, DAST) and understand how to give developers fast, actionable feedback without blocking velocity
• Are comfortable with infrastructure automation (Terraform, Kubernetes) and can identify misconfigurations and attack paths in AWS/GCP environments
• Communicate crisply and can collaborate effectively with developers, product teams, and leadership
• Have applied knowledge of threat modeling, cryptography fundamentals, and compliance frameworks (SOC 2, ISO 27001/42001, NIST CSF)
• OSCP, OSWE, GXPN, GWAPT, CPTS, or similar offensive security certifications
• Experience testing multi-tenant SaaS platforms serving regulated industries (financial services is a strong plus)
• Hands-on cloud penetration testing experience in AWS or GCP (privilege escalation, cross-account attacks, metadata abuse)
• Kubernetes security testing (RBAC abuse, container escapes, admission controller bypasses, network policy evasion)
• Bug bounty track record or published CVEs / security research
• Experience in customer-facing security conversations, deep-dive technical sessions, pen test debrief calls, and security architecture reviews