security
Posted May 1Senior Offensive Security Engineer
at BitGo
IndiaOn-site
Responsibilities
- Own the offensive security program across BitGo's applications, APIs, cloud infrastructure, signing services, wallet-adjacent systems, identity pathways, and AI-enabled workflows.
- Run deep, hands-on assessments of Web3 and digital asset systems — transaction signing pipelines, MPC/TSS implementations, HSM integrations, multi-party approval workflows, smart-contract-connected services, and chain-facing infrastructure.
- Lead offensive testing of AI and agentic systems — prompt injection, unsafe tool use, data leakage, agentic identity/credential abuse, LLM routing flaws, and the OWASP Top 10 for LLM Applications.
- Build continuous automated validation pipelines that run 24/7, leveraging autonomous AI agents for breadth while you focus on depth, creative adversary simulation, and novel attack chains.
- Integrate offensive testing into CI/CD so every significant deployment to critical systems is validated before it reaches production.
- Run purple-team exercises simulating nation-state TTPs and insider-threat scenarios, and progress from transparent to semi-stealth to full red team operations as the program matures.
- Drive remediation and retesting with Engineering, AppSec, Cloud Security, Detection Engineering, and SecOps — and translate recurring patterns into durable architectural improvements.
Requirements
- We are hiring a Senior Offensive Security Engineer to build, run, and mature BitGo's offensive security program end-to-end across AI, Web2, and Web3.
- You will own program strategy, assessment execution, tooling and automation (including AI-powered offensive agents), reporting, remediation validation, retesting, and continuous improvement — moving BitGo from periodic external tests to an always-penetration-testing posture. What You'll Do
- Digital asset security depth or strong demonstrated aptitude — custody infrastructure, transaction signing systems, wallet security, key management, MPC/TSS, or blockchain security research.
- Strong software engineering capability in Python, Go, TypeScript, or similar, including building custom offensive tooling.
- Cloud-native fluency across AWS, containers, Kubernetes, IAM, secrets management, and CI/CD security.
- OSCP, OSWE, OSEP, GPEN, CPTS, or equivalent practical capability. •