Offensive Security Lead

We are seeking our first Offensive Security Lead to join Escape and play a key role in validating and enhancing our AI-powered Code-to-cloud ASM and DAST platform. This role is central to Escape's mission: ensuring our security scanners accurately detect real-world vulnerabilities by thinking like an attacker. You will lead offensive security initiatives, conduct penetration testing and red team operations on customer applications, and work closely with our Security Research and Scanners teams to continuously improve our detection capabilities.

As the Offensive Security Lead, you will be responsible for designing and executing sophisticated attack scenarios, validating scanner findings against real-world exploitation techniques, and translating your offensive research into actionable improvements for our platform. You will be the internal adversary who stress-tests our technology and helps our enterprise customers understand their true security posture.

Context

• Location: Paris , 2 days remote/week

• Company: Escape – Leading AI Cybersecurity Startup

• Cofounders: CEO (Tristan Kalos) and CTO (Antoine Carossio)

• Engineering Team: 16 Engineers, 4 Technical Leads, 1 Product Owner, 3 Pentesters

• You'll be building and leading the offensive security practice, managing a team of 3 red teamers while remaining hands-on with technical work

• Team Leadership & Management: Build, mentor, and manage a team of 3 red teamers, establishing offensive security best practices, methodologies, and quality standards. Foster a culture of continuous learning and technical excellence while ensuring operational efficiency.

• Offensive Security Operations: Design and execute penetration tests, red team engagements, and adversary simulations against modern web applications, APIs, cloud infrastructure, and codebases to validate Escape's detection capabilities.

• Research-to-Detection Pipeline: Collaborate with the Security Research team to discover novel attack techniques, validate vulnerability detection logic, and ensure our scanners catch what real attackers would exploit.

• Customer-Facing Validation: Support enterprise customer engagements by demonstrating real-world exploitability of findings, conducting proof-of-concept attacks, and helping VP Security and Security Engineer personas understand risk severity.

• Attack Scenario Development: Build realistic attack chains and scenarios that combine Code-to-cloud vulnerabilities, helping customers understand end-to-end exploitation paths from code to runtime.

• Scanner Quality Assurance: Act as the final validator for scanner accuracy by attempting to exploit reported vulnerabilities, reducing false positives, and identifying false negatives through manual testing.

• Offensive Tooling & Automation: Develop custom tools, exploits, and automated attack workflows that can be integrated into our continuous security validation processes.

• Strategic Planning: Define the offensive security roadmap, prioritize testing initiatives, and allocate team resources to maximize impact on product quality and customer success.

• Knowledge Transfer: Train Security Engineers and developers on offensive security techniques, helping them build security intuition and understand attacker perspectives.

• Target Environment: Modern web applications, REST/GraphQL APIs, cloud-native infrastructure (AWS/Kubernetes), CI/CD pipelines, container environments

• Offensive Tools: Burp Suite, custom Python/Go exploits, browser automation (Playwright), Metasploit Framework, cloud pentesting toolkits (Pacu, ScoutSuite)

• Languages: Python (primary), Go, Bash scripting, proficiency in reading/writing exploits in multiple languages

• Infrastructure: Kubernetes (EKS), Docker, AWS services

• Collaboration: GitLab, Slack, direct integration with our scanner codebase (Python/Go)