Senior Security Researcher Job at Devtech, San Francisco, CA

c0dML0l6ZHN3cGVLajZMMkEvNVhKMzFMRkE9PQ==
  • Devtech
  • San Francisco, CA

Job Description

About us

Devtech provides digital innovation services that help Fortune 1000 and emerging companies transform, scale and disrupt. We partner with our clients to envision and develop next-gen digital and cloud solutions that drive impactful business outcomes through people and technology.
Our mission is to empower every innovative business in the world to do what they do best, even better .
Founded in 2012, Devtech successfully bootstrapped the business for many years before securing institutional growth capital in 2022 and 2024 to fuel our next stages of growth. We are a team of over 300 professionals across Europe and North America, and our continued growth is a testament to the quality of work our teams produce.
At Devtech, we’re fostering an environment of autonomy, mastery, and purpose, where our team members can grow and thrive. As we continue to scale globally, we're excited to welcome new team members who share our curiosity and growth mindset, and are ready to make an impact!

What you will do

We're building a platform in the software supply chain security space. Our mission is to catch malicious packages, compromised CI/CD pipelines, and supply chain attacks before they reach our customers' production systems, servers, or developer desktops. We're looking for a Senior Security Researcher to own the detection pipeline end-to-end, which include the systems that ingest packages, surface malicious findings, identify suspicious behavior, triage findings, and publish the research that both protects our customers and establishes our voice in the community. This is a hands-on role. You'll be designing detection pipelines, reviewing flagged packages, writing code, hunting threats, disclosing vulnerabilities, and publishing your work.

  • Design the systems that scan open-source packages (npm, PyPI, RubyGems, Maven, crates.io , Go modules, GitHub Actions, container images, and more) for malicious behavior at scale

  • Tune signals, reduce false positives, and add new detection techniques as attackers evolve

  • Actively find novel malicious packages, typosquats, dependency confusion attempts, compromised maintainers, and CI/CD abuse patterns

  • Coordinate with maintainers, foundations, and registries, file CVEs, work with GitHub Security Advisories, the OSV schema, and platform security teams

  • Turn every significant finding into a blog post that's fast, clear, and technically rigorous that gets shared in security newsletters and lands on places like Hacker News

  • Build internal tooling that uses static analysis and AI models to triage findings, summarize package diffs, and cluster related campaigns

  • Your findings feed directly into what we build. Expect to sit in on roadmap discussions and push back when detection logic in the product doesn't match what you see in the wild

  • Stay up-to-date with the latest sandbox evasion and detection measures and create countermeasures and red-teaming exercises

  • Keeping a tight line between false positives and false negatives in our detection pipeline to ensure a well-curated and trusted set of threat intelligence

What you will need

  • A track record of finding real vulnerabilities - published CVEs, GHSAs, or equivalent advisories with your name on them

  • Deep familiarity with multiple vulnerability classes like malicious packages, RCE, prototype pollution, deserialization, SSRF, auth bypasses, CI/CD-specific attack paths and memory corruption

  • Experience designing and operating a detection, scanning, or analysis pipeline at scale that run continuously and produce signal

  • Strong programming skills in at least one of TypeScript, Python, Go, or Rust

  • Comfortable reading code in languages you don't write daily (JavaScript, Ruby, Java,

  • PHP, etc)

  • Proven ability to write a good blog post fast

  • Hands-on use of LLMs as a research tool

  • Understanding of LLMs to know where they break, which prompts and models work best, and when to reach for a model vs. when not to

  • Prior work on software supply chain attacks

  • Contributions to OpenSSF, OSV, Sigstore, SLSA, or adjacent projects are a plus

  • Reverse engineering chops - obfuscated JavaScript droppers, packed binaries, malicious post-install scripts are a plus

  • A conference talk or two (DEF CON, Black Hat, BSides, OffensiveCon, Kaspersky SAS) is a plus

  • Experience with eBPF, sandboxing, or dynamic analysis infrastructure is a plus

What we offer

  • Private health insurance

  • 25 days of vacation / PTO

  • 7 days of sick leave at 100% pay

  • Outstanding referral bonuses

  • Paternity leave – 15 days for new dads

  • Reduced working hours for the first month after returning from maternity

  • Development program (training & conferences, internal knowledge sharing)

  • Flexible work environment

Job Tags

Flexible hours

Similar Jobs

Kunsh Technologies

Software Engineer (C++/Rust) Job at Kunsh Technologies

 ...000 users during our first year of launch. Our team brings former experience at the world's leading quantitative firms, including Two Sigma, Flow Traders, Tower Research, PDT Partners, SIG, and more. We're looking for a midlevel or senior IC to join our core engineering... 

Confidential

Travel Registered Nurse Hematology Oncology Job Job at Confidential

 ...Job Overview TLC Nursing Associates, Inc. is seeking a skilled and compassionate Registered Nurse (RN) Hematology Oncology to provide specialized care for patients with blood disorders and cancer. The RN will administer treatments, monitor patient progress, and... 

Gpac

PHYSICIAN ASSISTANT - DERMATOLOGY Job at Gpac

Physician Assistant - DERMATOLOGY Join a Leading Dermatology Practice in a Highly Desirable New York Region A thriving, physician-led dermatology group is seeking an experienced Dermatology Physician Assistant with 5+ years of dedicated dermatology experience . This... 

Peerless Industries

CNC Laser Operator (Manufacturing Technician) Job at Peerless Industries

 ...forward to our company parties with raffles, contests, lunch and laughs. Job Description We are seeking an experienced CNC Laser Operator to set up, operate, and maintain laser and punch equipment (Trumpf preferred). This role is responsible for producing high... 

Insurance Company Of Florida

Insurance Agent Job at Insurance Company Of Florida

Responsive recruiterWe are looking for a competitive insurance agent to generate new business by contacting potential customers. You will sell, solicit, differentiate and negotiate insurance plans that match the needs of your assigned or prospective customers portfolio...