Offensive Security Engineer, Product Security

Zoox is seeking an experienced Offensive Security Engineer with deep technical expertise in reviewing and testing Internet of Things (IoT) devices, robots, or autonomous systems. This individual will be responsible for performing security assessments across the full stack of connected devices, from embedded firmware to cloud APIs. You will simulate real-world adversaries, identify vulnerabilities, and provide technical insights that directly impact the security posture of our products.

Key Responsibilities Include:

• Conduct offensive security assessments of IoT devices, including hardware, firmware, mobile apps, APIs, cloud backends, and communication protocols.
• Reverse engineer firmware and perform static and dynamic analysis to identify security flaws.
• Identify and exploit vulnerabilities in embedded systems, wireless protocols, bootloaders, secure boot implementations, and cryptographic mechanisms.
• Build and execute proof-of-concept attacks to demonstrate real-world exploitability and business impact.
• Collaborate with product, hardware, and software engineering teams to define secure development practices and improve product resilience.
• Contribute to internal tooling, automation, and methodologies for IoT security testing.
• Participate in threat modeling and architecture reviews of new products and features.
• Stay up to date with emerging vulnerabilities, tools, and offensive research relevant to IoT ecosystems.

The ideal candidate has deep expertise in security engineering, cryptography, network security, and secure system design, with a proactive approach to securing complex platforms.

Qualifications

• 5+ years of hands-on experience in offensive security or penetration testing, with at least 2 years focused on IoT and embedded systems.
• Strong knowledge of hardware hacking techniques (e.g., JTAG/SWD/UART debugging, side-channel analysis, fault injection).
• Proficient in reverse engineering tools such as Ghidra, IDA Pro, Binary Ninja, and debugging tools like JTAGulator, OpenOCD, or Bus Pirate.
• Experience analyzing and modifying firmware images (binwalk, Firmadyne, QEMU).
• Familiarity with secure boot, TPM/TEE, flash encryption, and other embedded security technologies.
• Deep understanding of wireless communication protocols (e.g., BLE, Zigbee, LoRa, Wi-Fi).
• Programming and scripting proficiency in Python, C/C++, Bash, or similar languages.
• Solid understanding of common vulnerabilities (e.g., memory corruption, logic flaws, insecure update mechanisms).

Bonus Qualifications

• Experience with secure SDLC in embedded or hardware environments.
• Knowledge of cloud security and mobile application security testing.
• Contributions to open-source security tools or published research in IoT security.
• Experience presenting technical research at security conferences or publishing security advisories, CVEs, or whitepapers.

About ZooxZoox is developing the first ground-up, fully autonomous vehicle fleet and the supporting ecosystem required to bring this technology to market. Sitting at the intersection of robotics, machine learning, and design, Zoox aims to provide the next generation of mobility-as-a-service in urban environments. We’re looking for top talent that shares our passion and wants to be part of a fast-moving and highly execution-oriented team.
Follow us on LinkedIn
AccommodationsIf you need an accommodation to participate in the application or interview process please reach out to accommodations@zoox.com or your assigned recruiter.
A Final Note:You do not need to match every listed expectation to apply for this position. Here at Zoox, we know that diverse perspectives foster the innovation we need to be successful, and we are committed to building a team that encompasses a variety of backgrounds, experiences, and skills.