Red Team Engineer

About Acrisure

A global fintech leader, Acrisure empowers millions of ambitious businesses and individuals with the right solutions to grow boldly forward. Bringing cutting-edge technology and top-tier human support together, we connect clients with customized solutions across a range of insurance, reinsurance, payroll, benefits, cybersecurity, mortgage services – and more. 

In the last twelve years, Acrisure has grown in revenue from $38 million to almost $5 billion and employs over 19,000 colleagues in more than 20 countries. Acrisure was built on entrepreneurial spirit. Prioritizing leadership, accountability, and collaboration, we equip our teams to work at the highest levels possible.

Job Summary:

You will be a hands-on offensive security engineer who finds and proves exploitable vulnerabilities in web applications, APIs, and cloud-hosted services before adversaries do. Your primary focus is web application and API penetration testing across a large, multi-tenant SaaS portfolio; including payroll, benefits, and financial platforms that process sensitive PII and financial data at scale.

You’ll conduct manual and automated security assessments, build repeatable attack tooling, and work directly with engineering teams to validate fixes. You will also leverage AI tools to accelerate reconnaissance, vulnerability discovery, exploit development, and reporting; and assess AI-integrated features within our applications for prompt injection, model manipulation, and agentic abuse risks.

We are an AI-first security organization. We build with AI, secure AI, and expect this role to actively leverage AI tooling to accelerate offensive security outcomes.

Success in this role means finding the vulnerabilities that scanners miss, proving exploitability with evidence that drives action, and helping engineering teams ship more secure code.

Responsibilities:

Web Application & API Penetration Testing

• Conduct deep manual penetration tests against web applications, REST/GraphQL APIs, and microservices — focusing on authentication, authorization (IDOR/BOLA), session management, injection, and business logic flaws.
• Perform source-code-assisted testing (grey-box/white-box) using access to application repositories to identify vulnerabilities that black-box testing misses.
• Test multi-tenant isolation boundaries — proving or disproving cross-tenant data access, privilege escalation, and tenant-escape scenarios in SaaS platforms.
• Assess authentication and session architectures: OAuth/OIDC flows, JWT handling, MFA bypass, token lifecycle, and session revocation effectiveness.
• Validate authorization models end-to-end — from API gateway to data layer — identifying gaps where opt-in security filters can be bypassed or omitted.
• Execute targeted assessments of high-risk application changes, new features, and integrations as part of the secure development lifecycle.

AI-Augmented Offensive Security

• Use AI tools (LLMs, copilots, agentic frameworks) to accelerate vulnerability discovery, payload generation, reconnaissance, and report writing.
• Build and maintain AI-assisted attack workflows — automated recon pipelines, intelligent fuzzing, pattern-based code review, and exploit chain analysis.
• Assess AI-integrated application features for prompt injection, training data leakage, model manipulation, excessive agency, and insecure output handling (OWASP LLM Top 10).
• Contribute to AI red-teaming exercises targeting LLM-powered features, chatbots, and agentic systems deployed across the enterprise.
• Stay current on AI-driven offensive techniques and defensive evasion — and translate emerging research into practical testing methodologies.

Cloud & Infrastructure Testing

• Conduct penetration tests against cloud-hosted applications and services in AWS and Azure — including serverless functions, container workloads, and managed services.
• Test cloud identity and access configurations — IAM policies, role assumptions, cross-account access, service principal permissions, and privilege escalation paths.
• Assess API gateway configurations, WAF effectiveness, and network segmentation controls.
• Identify attack paths from application-layer compromise to cloud infrastructure pivot — demonstrating real-world impact chains.

Tooling, Automation & Reporting

• Build and maintain custom offensive tooling — scanners, exploit scripts, and validation frameworks tailored to the organization’s technology stack.
• Develop repeatable, automated security validation tests that can be integrated into CI/CD pipelines for continuous assurance.
• Produce clear, evidence-based penetration test reports with proof-of-concept exploits, risk ratings, and actionable remediation guidance.
• Track and retest findings through remediation — validating fixes are effective and complete.
• Contribute to the organization’s attack playbooks, TTPs documentation, and knowledge base.

Collaboration & Enablement

• Partner with AppSec engineers to translate offensive findings into defensive tooling improvements (SAST/DAST rules, ASPM policies).
• Work with development teams during and after assessments — explaining vulnerabilities, demonstrating impact, and advising on secure design patterns.
• Support bug bounty program triage and validation when external researchers report findings.
• Participate in purple team exercises — working with detection engineering and SOC to validate monitoring coverage against real attack techniques.

Requirements

Required Qualifications

• 4+ years of hands-on experience in penetration testing, with a primary focus on web applications and APIs.
• Deep understanding of web application vulnerabilities beyond OWASP Top 10 — including business logic flaws, authorization model weaknesses (IDOR/BOLA), race conditions, and authentication/session architecture attacks.
• Experience testing multi-tenant SaaS applications and understanding tenant isolation patterns and failure modes.
• Proficiency with web application testing tools: Burp Suite Professional, custom extensions, and manual testing methodologies.
• Scripting and automation skills (Python, JavaScript, or similar) for exploit development, custom tooling, and test automation.
• Working knowledge of cloud platforms (AWS and/or Azure) — enough to test cloud-hosted applications and understand IAM, networking, and service configurations.
• Familiarity with source code review for security — ability to read and analyze application code (.NET/C#, Java, JavaScript/TypeScript, or Python) to identify vulnerabilities.
• Experience producing professional penetration test reports with clear evidence, risk ratings, and remediation guidance.

Preferred Qualifications

• Experience using AI/LLM tools for offensive security — automated recon, intelligent code review, payload generation, or AI-assisted exploit development.
• Experience testing AI-integrated application features for prompt injection, model abuse, or agentic system vulnerabilities.
• Familiarity with AI security frameworks: OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF.
• Experience with .NET/C# application security — particularly ASP.NET Web API, Entity Framework, and common .NET authorization patterns.
• Cloud penetration testing experience (AWS, Azure) — IAM exploitation, metadata service abuse, cross-account pivoting, serverless and container breakout.
• Bug bounty experience (HackerOne, Bugcrowd) — as a researcher, triager, or program operator.
• Experience building security validation into CI/CD pipelines for continuous testing.
• Familiarity with MITRE ATT&CK (Enterprise + Cloud), PTES, or OWASP Testing Guide methodologies.
• Relevant certifications: OSCP, OSWE, GWAPT, GPEN, eWPT, BSCP, or equivalent hands-on certifications. We value demonstrated skill over certification count.

#LI-CH1

Candidates should be comfortable with an on-site presence to support collaboration, team leadership, and cross-functional partnership.

Why Join Us:

At Acrisure, we’re building more than a business, we’re building a community where people can grow, thrive, and make an impact. Our benefits are designed to support every dimension of your life, from your health and finances to your family and future.

Making a lasting impact on the communities it serves, Acrisure has pledged more than $22 million through its partnerships with Corewell Health Helen DeVos Children's Hospital in Grand Rapids, Michigan, UPMC Children's Hospital in Pittsburgh, Pennsylvania and Blythedale Children's Hospital in Valhalla, New York.

Employee Benefits

We also offer our employees a comprehensive suite of benefits and perks, including:

• Physical Wellness: Comprehensive medical insurance, dental insurance, and vision insurance; life and disability insurance; fertility benefits; wellness resources; and paid sick time.

• Mental Wellness: Generous paid time off and holidays; Employee Assistance Program (EAP); and a complimentary Calm app subscription.

• Financial Wellness: Immediate vesting in a 401(k) plan; Health Savings Account (HSA) and Flexible Spending Account (FSA) options; commuter benefits; and employee discount programs.

• Family Care: Paid maternity leave and paid paternity leave (including for adoptive parents); legal plan options; and pet insurance coverage.

• … and so much more!

This list is not exhaustive of all available benefits. Eligibility and waiting periods may apply to certain offerings. Benefits may vary based on subsidiary entity and geographic location.

Acrisure is an Equal Opportunity Employer. We consider qualified applicants without regard to race, color, religion, sex, national origin, disability, or protected veteran status. Applicants may request reasonable accommodation by contacting [email protected].

Final candidates will be required to complete post-offer verification processes related to the role and in accordance with applicable laws.

California Residents: Learn more about our privacy practices for applicants by visiting the Acrisure California Applicant Privacy Policy.

Recruitment Fraud: Please visit here to learn more about our Recruitment Fraud Notice.

Welcome, your new opportunity awaits you.