Q3 2026 ENGAGEMENT QUEUE OPEN — RESPONSE WITHIN 24H
Careers / Open roles

Treat pentesting as a craft?
So do we.

Facade Offense hires experienced offensive security operators who care about the work. We take fewer engagements and go deeper. We ship reports we're proud to put our name on. We don't offshore client work. If that resonates, we'd like to hear from you.

What we offer

A small team that
respects the craft.

  • // 01 Real engagements

    Boutique SMB-to-enterprise scope. No volume PTaaS treadmill. You own engagements end-to-end — scoping, testing, reporting, retest.

  • // 02 Modern tooling

    Burp Pro, Nessus, Metasploit, BloodHound, Pacu, ProjectDiscovery. AI augmentation via PentestGPT and XBOW where it adds value. We pay for the tools that actually work.

  • // 03 Above-market rates

    We charge for value, not hours. We pass that through to our team. Senior contract rates start at $150–$250/hr depending on scope and specialization.

  • // 04 No bureaucracy

    Direct comms. No layers. No "engagement managers" between you and the client. If you want autonomy and ownership, this is it.

  • // 05 Continuous learning

    Cert reimbursement (OSCP, OSEP, OSWE, OSEE, AWAE, equivalents). Conference budget. Lab time. We invest in operators who invest in their craft.

  • // 06 US-only operators

    We don't subcontract overseas. Your work stays with you. Client trust depends on that — so does ours in our team.

Open roles / 2

Currently hiring.
Apply when you're ready.

We hire deliberately. Roles below are real. If you don't see a fit but think you'd be one, send your resume anyway — we're always interested in operators who take the work seriously.

// SENIOR-PENTESTER

Senior Penetration Tester

Full-time / ContractRemote (US-only)

Lead web app, API, and network engagements end-to-end. Manual methodology, AI-augmented tooling, human-validated reporting.

Requirements
  • 5+ years offensive security experience
  • OSCP, OSWE, or equivalent practical certifications
  • Strong web app, API, and network testing fundamentals
  • Familiarity with Burp Suite Pro, Metasploit, BloodHound
  • Comfortable writing client-facing reports auditors will read
  • US citizen or authorized to work in the US (no offshore subcontracting)
Nice to have
  • OSCE3, OSEP, or GPEN
  • Cloud security experience (AWS, Azure, GCP)
  • Experience with PentestGPT, XBOW, or similar AI-assisted tooling
  • Public bug bounty reputation (HackerOne, Bugcrowd)
  • Conference talks or published research
Apply for this role
// CLOUD-SECURITY-ENGINEER

Cloud Security Engineer (Contract)

ContractRemote (US-only)

Lead cloud configuration reviews and attack-path assessments across AWS, Azure, and GCP environments.

Requirements
  • 4+ years cloud security or cloud infrastructure experience
  • Deep AWS or Azure expertise (GCP is a plus)
  • IAM and identity attack-path mapping experience
  • Familiarity with Pacu, Prowler, ScoutSuite, or similar
  • CIS Benchmarks fluency
  • US citizen or authorized to work in the US
Nice to have
  • AWS Security Specialty or Azure equivalent certification
  • Terraform / IaC review experience
  • Container and Kubernetes security background
Apply for this role
/// How to apply

Send your resume to
careers@facadeoffense.com

What to include

  • Resume (PDF preferred)
  • Which role you're applying for (or "general application")
  • 2–3 sentences on what kind of work you want to do
  • Links: LinkedIn, GitHub, HackerOne / Bugcrowd profile, blog, CVE credits — anything relevant
  • Sample work if comfortable sharing (sanitized writeups, public CTF solutions, blog posts)

What to expect

  1. Acknowledgment within 3 business days. If we're interested, we'll schedule a 30-min intro call.
  2. Technical conversation. Walking through a past engagement (sanitized) or solving a small offensive security scenario together.
  3. Practical exercise. Time-boxed, scoped, paid. We don't do unpaid work-trials.
  4. Decision within 2 weeks of intro call. We don't leave candidates hanging.
Send your application