About CodeRabbit
CodeRabbit is an innovative research and development company focused on building extraordinarily productive human-machine collaboration systems. Our primary goal is to create the next generation of Gen AI-driven code reviewers: a symbiotic partnership between humans and advanced algorithms that significantly outperforms individual engineers. We combine language models with human ingenuity to push the boundaries of software development efficiency and quality.
About the Role
We're looking for a hardcore offensive security engineer/researcher to join our security team — someone who thinks like an attacker and builds like an engineer. You'll spend your time finding ways to break our own systems before anyone else does, then work directly with engineering to fix what you find.
If you've disclosed vulnerabilities, hunted bug bounties, or get genuinely excited about a new CVE writeup, this role is built for you.
What You'll Do
Plan and execute scoped offensive security assessments, red team operations and adversary-emulation exercises across enterprise, application, cloud, and network environments — simulating real attacker behavior, not checklist-based audits
Identify, exploit, and responsibly document vulnerabilities across web applications, APIs, network infrastructure, wireless, mobile, and cloud-native attack surfaces
Assess AI and agentic-system attack surfaces, including prompt injection, tool/function-calling abuse, agent privilege boundaries, RAG/vector-store poisoning, model/system-prompt leakage, data exfiltration paths, and abuse of connectors or automation workflows.
Develop and refine proof-of-concept exploits, custom tooling, and scripts (Python, Go, or similar) to support engagements and scale offensive capabilities
Work as part of a team to explore systems methodically, taking time to avoid detection — the goal is reaching the objective quietly, not finding every possible vulnerability
Turn findings into durable fixes: partner with engineering on root cause, remediation design, secure-by-default patterns, tests, logging, detection opportunities, and fix validation.
Continuously evolve tactics, techniques, and procedures (TTPs) to reflect emerging adversary behavior, including AV/EDR evasion and detection-bypass techniques
Collaborate with the Security Incident Response Team (SIRT) and infrastructure security to translate red team findings into improved detection and defensive posture
Stay current on emerging attack techniques, CVEs, security advisories, and the broader offensive security research community
Help shape the security program via vulnerability management, bug bounty or responsible disclosure triage etc.
Occasionally support blue-team efforts during live incidents — log analysis, triage, pattern recognition
You'll Be a Strong Fit If You Have
6-8 years of hands-on experience in penetration testing, red teaming, exploit development, vulnerability research, bug bounty hunting, or equivalent demonstrated work.
Practical familiarity with tools such as Burp Suite or Caido, Nmap, ffuf, Nuclei, sqlmap, Metasploit, Wireshark, Semgrep, CodeQL, BloodHound, Impacket, cloud security tooling, and Linux-based offensive workflows.
A track record of finding real vulnerabilities: CVEs, public advisories, bug bounty credits, responsible disclosures, internal high-impact findings, or open-source offensive/security tooling.
Strong scripting/programming ability (Python preferred; C/C++/Go a plus) to build or modify exploits and tooling rapidly, even under tight timelines
Strong cloud and infrastructure security fundamentals across at least one major cloud provider, with practical understanding of IAM abuse, logging, and secrets management.
Familiarity with the MITRE ATT&CK framework and ability to map findings to known adversary tactics
Ability to reason through attack chains end to end: reconnaissance, initial access, privilege escalation, persistence where in scope, lateral movement, data access/exfiltration, impact analysis, reporting, remediation, and retest.
Experience working at a cybersecurity-native company, security consultancy, or a tech company with a mature internal red team
Excellent written and verbal communication skills — ability to explain complex attack chains clearly to both engineers and non-technical stakeholders
OSCP or equivalent practical certification is a strong plus
Nice to Have
Experience with cloud-native attack surfaces (GCP/AWS/Azure)
Experience securing or attacking AI/ML, LLM, RAG, multi-agent, or agentic workflow systems, including OWASP Top 10 for LLM Applications and emerging AI red-team practices.
Exposure to incident response or SIEM, threat hunting, forensics
Active participation in bug bounty, CTFs, security research, conference talks, open-source security tools, or responsible disclosure communities.
Familiarity with AI/ML system attack surfaces (prompt injection, confused sub-agents etc.) — emerging but increasingly relevant
Our Values
🤝 Collaborative Humans: Prioritizing collective intelligence
🚀 Fearless Innovators: Turning obstacles into growth opportunities
💪 Persistent, Passionate Developers: Thriving on complex, long-term challenges
🎯 Impact-Driven Creators: Crafting intuitive tools for developers
🧠 Rapid Learners and Un-learners: Adapting quickly in our fast-paced technological world
What We Offer
Work on cutting-edge technology with real-world impact
Collaborative and innovative environment
Competitive salary, equity, and benefits
Professional development opportunities
To apply, submit your resume and relevant project samples or GitHub profiles. CodeRabbit is an equal-opportunity employer committed to diversity and inclusion.