Application Security & Red Team - Lead Engineer, Information Security

Accelerate your career at RXO.

RXO is a leading provider of transportation solutions.

With cutting-edge technology at the center, we’re revolutionizing the industry with our massive network and commitment to finding solutions for every challenge.

We create more efficient ways for shippers and carriers to transport goods across North America.

Application Security & Red Team | Lead Engineer, Information Security

As a Lead Ethical Hacker on the Threat and Vulnerability Management team at RXO, you’ll play a critical role in driving offensive security engagements-specifically focusing on application security, web application testing, and red teaming.

You will perform in-depth assessments of applications and cloud environments to identify security risks and help build a more secure enterprise.

What your day-to-day will look like:


* Run investigations gathering key information about application architectures, APIs, and code flows to support effective testing and offensive security engagements


* Conduct detailed application-layer penetration testing of web, mobile, API, and containerized applications-targeting OWASP Top 10 risks, business logic flaws, input validation, and authenticated scenarios such as role-based access control.


* Simulate real-world attacks targeting applications, APIs, and business logic to demonstrate risk through exploitation and lateral movement within application ecosystems


* Determine the potential impact of exploiting application-level vulnerabilities and misconfigurations that could lead to unauthorized access or data exfiltration


* Lead research into new web application vulnerabilities, cloud-native threats, and evolving attack vectors used against modern application stacks


* Review and verify findings from peers, focusing on validating web application and API vulnerabilities and identifying false positives


* Brainstorm, strategize, and plan multi-phase Red Team engagements with an application-first mindset-emulating adversaries targeting application entry points


* Document and communicate findings in a way that aligns with development and DevSecOps teams, providing clear remediation steps rooted in secure coding practices

What you’ll need to excel:

At a minimum, you’ll need:


* Bachelor’s degree or equivalent related work or military experience


* 4 years of experience in information security and systems, with emphasis on application or cloud security

It’d be great if you also have:


* Experience working with AI and machine learning systems, including assessing the security of AI/ML-based applications, models, and pipelines, and identifying vulnerabilities across these environments.


* One or more offensive security certification(s) such as OSCP, OSCE, GWAPT, GPEN, eWPT, eCPPT, etc.


* Strong experience in web application penetration testing and application-layer attack techniques


* Hands-on experience with Burp Suite Pro, OWASP ZAP, Postm...