Offensive Security Lead

Overview Escape is on a mission to reinvent how we protect our applications against hackers. Backed by YC, with a growing customer base including Société Générale, Lightspeed, and the Olympic Games, we are pursuing Series A funding. Our team of 23 Escapers tackles profound tech challenges and drives innovation in cybersecurity. We seek to bring more AI-driven innovation to cybersecurity and build this dream together. We are hiring our first Offensive Security Lead to validate and enhance our AI-powered Code-to-cloud ASM and DAST platform. This role is central to the mission: ensure our security scanners accurately detect real-world vulnerabilities by thinking like an attacker. You will lead offensive security initiatives, conduct penetration testing and red team operations on customer applications, and collaborate with our Security Research and Scanners teams to improve detection capabilities. As the Offensive Security Lead, you will design and execute sophisticated attack scenarios, validate scanner findings against real-world exploitation techniques, and translate offensive research into actionable improvements for the platform. You will act as the internal adversary, stress-testing our technology and helping enterprise customers understand their true security posture. Context Location: Paris (75002), 2 days remote/week Company: Escape – Leading AI Cybersecurity Startup Cofounders: CEO (Tristan Kalos) and CTO (Antoine Carossio) Engineering Team: 16 Engineers, 4 Technical Leads, 1 Product Owner, 3 Pentesters You will be building and leading the offensive security practice, managing a team of 3 red teamers while remaining hands-on with technical work. Key Responsibilities Team Leadership & Management: Build, mentor, and manage a team of 3 red teamers, establish offensive security best practices, methodologies, and quality standards; foster a culture of continuous learning and technical excellence while ensuring operational efficiency. Offensive Security Operations: Design and execute penetration tests, red team engagements, and adversary simulations against modern web applications, APIs, cloud infrastructure, and codebases to validate Escape's detection capabilities. Research-to-Detection Pipeline: Collaborate with Security Research to discover novel attack techniques, validate vulnerability detection logic, and ensure scanners catch what real attackers would exploit. Customer-Facing Validation: Support enterprise customer engagements by demonstrating real-world exploitability of findings, conducting proof-of-concept attacks, and helping VP Security and Security Engineer personas understand risk severity. Attack Scenario Development: Build realistic attack chains and scenarios that combine Code-to-cloud vulnerabilities, helping customers understand end-to-end exploitation paths from code to runtime. Scanner Quality Assurance: Act as the final validator for scanner accuracy by attempting to exploit reported vulnerabilities, reducing false positives, and identifying false negatives through manual testing. Offensive Tooling & Automation: Develop custom tools, exploits, and automated attack workflows that can be integrated into continuous security validation processes. Strategic Planning: Define the offensive security roadmap, prioritize testing initiatives, and allocate team resources to maximize impact on product quality and customer success. Knowledge Transfer: Train Security Engineers and developers on offensive security techniques, helping them build security intuition and attacker perspective. Tech Stack Target Environment: Modern web applications, REST/GraphQL APIs, cloud-native infrastructure (AWS/Kubernetes), CI/CD pipelines, container environments Offensive Tools: Burp Suite, custom Python/Go exploits, browser automation (Playwright), Metasploit Framework, cloud pentesting toolkits (Pacu, ScoutSuite) Languages: Python (primary), Go, Bash scripting; proficiency in reading/writing exploits in multiple languages Infrastructure: Kubernetes (EKS), Docker, AWS services Collaboration: GitLab, Slack, direct integration with scanner codebase (Python/Go) Qualifications 4+ years of experience in offensive security (Penetration Tester, Red Teamer, Security Researcher) with at least 1+ year in a leadership or team lead capacity. Proven track record of finding and exploiting real vulnerabilities in production environments while coaching others. People Leadership: Ability to build, mentor, and manage technical teams, set technical direction, conduct performance reviews, and foster a high-performing offensive security culture. Application Security Expertise: Deep understanding of web app vulnerabilities (OWASP Top 10, API security, business logic flaws), modern frameworks, and cloud-native architectures; ability to exploit complex vulnerability chains. Hands-on Exploitation: Strong exploitation experience, custom exploit development, and proof-of-concept creation; comfortable with manual testing and automated attack techniques; maintains hands-on skills while managing a team. Code Analysis Skills: Security code review and vulnerability identification in Python, Go, JavaScript/TypeScript; experience bridging static analysis findings with runtime exploitation. Cloud & Container Security: Cloud pentesting (AWS/Azure/GCP), Kubernetes security, container escape techniques, and CI/CD pipeline attacks. Tooling & Automation: Proficiency in Python or Go for building custom offensive security tools and automation; experience contributing to open-source security tools. Research Mindset: Curiosity-driven security research, staying current with new attack vectors, translating findings into detection improvements. Startup Enthusiast: Motivated by fast-growing deep tech startups, eager to impact product quality and team building, and shaping the future of AI-driven cybersecurity from an adversarial perspective. We respect your time. The process is designed to be quick and efficient and will be completed within 2 weeks. The hiring process includes multiple stages with the HR representative, Technical challenge, Technical deep dive with the Technical Lead, a personal experience interview with the Head of Engineering, a leadership and strategy interview with the CTO, and a formal hiring proposal. #J-18808-Ljbffr