Application Security & Red Team - Lead Engineer, Information Security

Accelerate your career at RXO. 

RXO is a leading provider of transportation solutions. With cutting-edge technology at the center, we’re revolutionizing the industry with our massive network and commitment to finding solutions for every challenge. We create more efficient ways for shippers and carriers to transport goods across North America.

Application Security & Red Team | Lead Engineer, Information Security

As a Lead Ethical Hacker on the Threat and Vulnerability Management team at RXO, you’ll play a critical role in driving offensive security engagements—specifically focusing on application security, web application testing, and red teaming. You will perform in-depth assessments of applications and cloud environments to identify security risks and help build a more secure enterprise.

What your day-to-day will look like:

• Run investigations gathering key information about application architectures, APIs, and code flows to support effective testing and offensive security engagements
• Conduct detailed application-layer penetration testing of web, mobile, API, and containerized applications—targeting OWASP Top 10 risks, business logic flaws, input validation, and authenticated scenarios such as role-based access control.
• Simulate real-world attacks targeting applications, APIs, and business logic to demonstrate risk through exploitation and lateral movement within application ecosystems
• Determine the potential impact of exploiting application-level vulnerabilities and misconfigurations that could lead to unauthorized access or data exfiltration
• Lead research into new web application vulnerabilities, cloud-native threats, and evolving attack vectors used against modern application stacks
• Review and verify findings from peers, focusing on validating web application and API vulnerabilities and identifying false positives
• Brainstorm, strategize, and plan multi-phase Red Team engagements with an application-first mindset—emulating adversaries targeting application entry points
• Document and communicate findings in a way that aligns with development and DevSecOps teams, providing clear remediation steps rooted in secure coding practices

What you’ll need to excel:

At a minimum, you’ll need:

• Bachelor’s degree or equivalent related work or military experience
• 4 years of experience in information security and systems, with emphasis on application or cloud security

It’d be great if you also have:

• Experience working with AI and machine learning systems, including assessing the security of AI/ML-based applications, models, and pipelines, and identifying vulnerabilities across these environments.
• One or more offensive security certification(s) such as OSCP, OSCE, GWAPT, GPEN, eWPT, eCPPT, etc.
• Strong experience in web application penetration testing and application-layer attack techniques
• Hands-on experience with Burp Suite Pro, OWASP ZAP, Postman, SQLMap, and similar tools Familiarity with .NET and Java-based web applications, including secure coding and common vulnerabilities
• Experience testing cloud-based environments (AWS, Azure, GCP), especially in containerized or serverless architectures
• Solid understanding of OWASP Top 10, OWASP ASVS, and secure software development lifecycles
• Proficiency in scripting and automation using Python, PowerShell, or Bash
• Familiarity with frameworks such as MITRE ATT&CK, Cyber Kill Chain, etc.
• Experience with Red Team tools like Cobalt Strike, Core Impact, and advanced simulation frameworks

The Next Step

Ready to join our team? We’d love to hear from you. Fill out an application now and join our talent community to learn about future opportunities.

We are proud to be an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

All applicants who receive a conditional offer of employment may be required to take and pass a pre-employment drug test.

The above statements are not an exhaustive list of all required responsibilities, duties and skills for this job classification.

Review RXO's candidate privacy statement here and RXO's Privacy Notice to California Job Applicants here.