Elite Web & API Security Hacker

Axos Bank

Target Range:

$115,000.00 /Yr. - $200,000.00 /Yr.

Actual starting pay will vary based on factors including, but not limited to, geographic location, experience, skills, specialty, and education.

Eligible for an Annual Discretionary Cash Bonus Target:

Eligible for an Annual Discretionary Restricted Stock Units Bonus Target:

These discretionary target bonuses may be awarded semi-annually based upon your achievement of performance goals and targets.

About This Job

Are you a relentless hacker who sees a login page as a challenge and an API endpoint as an invitation?

We’re not looking for someone who knows how to run SAST, DAST, or point-and-click scanners.

We’re hiring an elite technical offensive security expert — a hacker who lives in Burp Suite, thinks in curl, and sees an API schema as a playground. In this role, you’ll simulate real-world adversaries, uncover security flaws across our web applications and APIs, and work closely with engineering to harden the systems that power our platform.

If your favorite tools have names like ffuf, jwt_tool, custom Python scripts, and your brain, we’re ready to talk.

Whether you specialize in bypassing authentication, exploiting misconfigured CORS policies, or finding logic flaws that scanners can’t, we want your mindset, your creativity, and your technical firepower.

This position is on-site at any of our office locations (San Diego CA, Irvine CA, Los Angeles CA, Las Vegas NV, Centennial CO, Omaha NE, Overland Park KS, Edison NJ) or 100% Remote, depending upon your location.

This is a hands-on, offensive role. You should be able to find, exploit, and explain vulnerabilities in modern, production-grade applications without needing your hand held or a scanner to tell you where to look.

What You'll Be Doing

• Break real applications: Perform targeted, manual security testing of production-grade web apps and APIs — REST, GraphQL, gRPC, internal and public-facing
• Simulate adversaries: Go beyond OWASP Top 10 — find logic flaws, auth bypasses, data leakage, and chained exploits
• Red team mindset: Think like an attacker. Design and execute your own kill chains. Document it so even a backend dev gets it
• Code-aware exploitation: You don't need the source, but if you had it, you’d read it like a map to the treasure
• Outthink security controls: WAF? Rate limits? Auth tokens? Good. We want someone who thrives when blocked
• Go deep on abuse cases: Find the obscure. The unintended. The "shouldn’t happen but does" kind of bugs

🛠 You Should Already Know

• Web protocols cold: HTTP, cookies, sessions, auth flows, JWTs, CORS
• AuthN/AuthZ exploits: OAuth abuse, IDOR, BOLA, SSO bypass
• API attack patterns: Broken schema enforcement, insecure object references, parameter pollution, replay attacks
• Tools you own (or write): Burp Suite Pro, Postman, ffuf, sqlmap, jwt_tool, mitmproxy, Python, bash — or your own
• Manual testing workflow: You don’t wait for a scanner to find something. You hunt, fuzz, and test edge cases manually
• Threat modeling mindset: You think in abuse scenarios, not just CVEs

What This Role Is Not

• A checkbox compliance role
• A scanner operator (we already have those)
• A security generalist
• A hands-off SME

Why You’ll Love It Here

• Autonomy: You own your targets. You choose your tools. You run your ops
• Impact: We ship fast. You’ll test real apps that matter
• Access: No red tape. You’ll work directly with developers and security leadership
• Culture: Security is valued here. Your work will not be sidelined, deprioritized, or

Work Culture: Intensity, Accountability, and Purpose

We operate in a high-intensity, high-accountability environment where both effort and results matter. We don’t glorify burnout — but we do expect people to push hard, go deep, and take real ownership of their work. Security is critical to our business, and we treat it like it is.

This isn’t a slow, checklist-driven environment. This is a place where your ideas, execution, and attention to detail will have direct, visible impact — and where coasting is not an option.

We value:

• Strong work ethic and consistency — not just short bursts of brilliance
• Extreme ownership — you finish what you start and raise your own bar
• Effort + outcome — we care how hard you work and what you deliver
• Grit, curiosity, and urgency — you act like the attacker is already inside

If you want to out-hack real threats, earn respect through action, and grow fast in an intense but meaningful role — we want to meet you.

Qualifications:

• Bachelor’s degree in Computer Science, Cybersecurity, Engineering, or a related field; Master’s preferred
• 5+ years in information security, including 2+ years in application security roles.
• Extensive experience designing and securing APIs in high-scale, cloud-native environments.
• Financial services experience is strongly preferred
• Deep knowledge of OWASP Top 10 (including API Security Top 10), secure coding, and threat modeling
• Proficiency in securing RESTful and GraphQL APIs; experience with tools like Postman, Burp Suite, 42Crunch, or API Sentinel
• Familiar with JWT, OAuth2, OIDC, rate limiting, API Gateway policies (e.g., Kong, Apigee, AWS API Gateway)
• Certifications preferred: CSSLP, OSWE, CISSP, or API-specific credentials like API Security Architect (APIsec University)

Axos Employee Benefits May Include:

• Medical, Dental, Vision, and Life Insurance

• Paid Sick Leave, 3 weeks’ Vacation, and Holidays (about 11 a year)

• HSA or FSA account and other voluntary benefits

• 401(k) Retirement Saving Plan with Employer Match Program and 529 Savings Plan

• Employee Mortgage Loan Program and free access to an Axos Bank Account with Self-Directed Trading

About Axos

Born digital-first, Axos delivers financial tools and services that allow individuals, small businesses, and companies to access and manage their money how, when, and where they want. We’re a diverse team of dynamic, insightful, and independent innovators who are excited to provide technology-driven solutions that offer unbeatable value to our customers.

Axos Financial is our holding company and is publicly traded on the New York Stock Exchange under the symbol "AX" (NYSE: AX).

Learn more about working at Axos

Pre-Employment Background Check and Drug Test:

All offers are contingent upon the candidate successfully passing a credit check, criminal background check, and pre-employment drug screening, which includes screening for marijuana. Axos Bank is a federally regulated banking institution. At the federal level, marijuana is an illegal schedule 1 drug; therefore, we will not employ any person who tests positive for marijuana, regardless of state legalization.

Equal Employment Opportunity:

Axos is an Equal Opportunity employer. We are committed to providing equal employment opportunities to all employees and applicants without regard to race, religious creed, color, sex (including pregnancy, breast feeding and related medical conditions), gender, gender identity, gender expression, sexual orientation, national origin, ancestry, citizenship status, military and veteran status, marital status, age, protected medical condition, genetic information, physical disability, mental disability, or any other protected status in accordance with all applicable federal, state, and local laws.

Job Functions and Work Environment:

While performing the duties of this position, the employee is required to sit for extended periods of time. Manual dexterity and coordination are required while operating standard office equipment such as computer keyboard and mouse, calculator, telephone, copiers, etc.

The work environment characteristics described here are representative of those an employee may encounter while performing the essential functions of this position. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions of this position.