Job Description

About the Role

You'll own the detection pipeline end-to-end for our software supply chain security platform, catching malicious packages and compromised CI/CD pipelines before they reach production systems. This hands-on role involves designing detection systems, hunting threats, disclosing vulnerabilities, and publishing research that protects customers and establishes our voice in the security community. You'll work directly with detection systems that scan open-source packages at scale and turn findings into actionable intelligence.

What You'll Do

• Design systems that scan open-source packages (npm, PyPI, RubyGems, Maven, crates.io, Go modules, GitHub Actions, container images) for malicious behavior at scale
• Hunt novel malicious packages, typosquats, dependency confusion attempts, compromised maintainers, and CI/CD abuse patterns
• Coordinate with maintainers, foundations, and registries to file CVEs and work with GitHub Security Advisories and OSV schema
• Build internal tooling using static analysis and AI models to triage findings, summarize package diffs, and cluster related campaigns
• Publish technically rigorous blog posts for every significant finding that establish thought leadership and drive community engagement
• Tune detection signals, reduce false positives, and develop countermeasures against evolving sandbox evasion techniques

What We're Looking For

• 4+ years of security research experience with published CVEs, GHSAs, or equivalent advisories with your name on them
• Deep expertise in multiple vulnerability classes including malicious packages, RCE, prototype pollution, deserialization, SSRF, auth bypasses, and CI/CD attack paths
• Experience designing and operating detection, scanning, or analysis pipelines at scale that run continuously and produce actionable signal
• Strong programming skills in TypeScript, Python, Go, or Rust with ability to read code across multiple languages (JavaScript, Ruby, Java, PHP)
• Proven track record of writing high-quality technical blog posts quickly and hands-on experience using LLMs as research tools

Bonus Points

• Contributions to OpenSSF, OSV, Sigstore, SLSA, or adjacent open source security projects
• Reverse engineering experience with obfuscated JavaScript droppers, packed binaries, or malicious post-install scripts
• Conference speaking experience at DEF CON, Black Hat, BSides, OffensiveCon, or Kaspersky SAS