Penetration Testing Specialist

About the Role

Remitee is a rapidly expanding fintech company specializing in international payments and cross-border remittances across Latin America .

We are looking for a Penetration Testing Specialist to join our Cybersecurity team. You will own offensive security at Remitee: running assessments across web mobile API cloud and internal network embedding with engineering squads as an AppSec partner and building programs (threat modeling bug bounty purple teaming) that make the whole organization more secure. This is a hands-on technical role with direct visibility to leadership.

Key Responsibilities

• Plan and execute penetration tests across web applications mobile (iOS/Android) APIs cloud infrastructure and internal networks following PTES OWASP WSTG OWASP MASTG OWASP API Security Top 10 OWASP ASVS and NIST.
• Maintain versioned reproducible and auditable checklists by target type covering IAM role-based authorization idempotency rate limiting error handling and information exposure.
• Conduct application security code reviews in backend codebases: input validation authorization flaws (BOLA/IDOR) financial logic bugs (decimal precision rounding conversions) concurrency idempotency webhook signatures and secrets handling.
• Operate and tune the AppSec toolchain integrated into the SDLC: SAST DAST SCA secrets scanning and IaC scanning.
• Design and maintain a threat modeling program (STRIDE / PASTA / LINDDUN) for critical product features.
• Audit OAuth 2.0 / OIDC / JWT implementations for algorithm confusion replay attacks refresh token rotation PKCE and claim validation (iss/aud/exp).
• Perform deep API security testing: BOLA/BFLA mass assignment rate limiting idempotency race conditions and signed webhooks.
• Secure partner integrations: CSP frame-ancestors postMessage CORS SameSite and sandboxing.
• Hunt for business logic vulnerabilities with direct economic impact: double-spend transaction replay race conditions negative amounts overflow/underflow limit bypass rounding manipulation and reused idempotency keys.
• Build AI-assisted workflows for recon triage PoC generation code review and directed fuzzing. Apply OWASP Top 10 for LLM and MITRE ATLAS when assessing product features with generative AI.
• Write executive and technical reports with CVSS v4 severity business impact reproducible PoCs and actionable remediation. Track findings to closure with SLAs by severity.
• Generate auditable evidence for ISO 27001 BCRA and partner due diligence processes. Present findings to engineering squads CTO CISO and the risk committee.
• Embed with squads as a security partner: design reviews pair reviews and mentoring on secure coding.
• Design purple team exercises with SecOps run internal CTFs and bug bashes and maintain a bug bounty program.

Must Have

• 4 years in pentesting or application security with hands-on experience assessing production systems.
• Previous experience as an in-house pentester or AppSec engineer on a live product.
• Development background: able to read and reason through code independently in at least 2 languages ( Node/TypeScript or Java).
• Documented systematic methodology: PTES OWASP WSTG / MASTG / ASVS OWASP API Top 10.
• Strong command of OAuth 2.0 / OIDC / JWT and their known attacks (algorithm confusion replay key confusion claim validation).
• Deep API security experience: BOLA/BFLA mass assignment rate limiting idempotency race conditions signed webhooks.
• Full web pentesting coverage: OWASP Top 10 SSRF deserialization template injection prototype pollution and related.
• Mobile pentesting: Frida Objection MobSF SSL pinning bypass hooking static and dynamic analysis.
• Cloud security in at least one major cloud (Azure and/or AWS): IAM privilege abuse secrets in pipelines storage exposure.
• Active intentional use of AI with your own workflows and awareness of associated risks (sensitive data hallucinations).
• Excellent written communication: your reports are auditable deliverables.

Nice to Have

• Experience in fintech payments or other regulated environments.
• Familiarity with BCRA regulations or other Latin American financial compliance frameworks.
• Participation in or management of a bug bounty program (HackerOne Bugcrowd or similar).
• Contributions to open source security tooling.
• Relevant certifications (OSCP CRTO GPEN or similar).
• Experience with purple team exercises or red team operations.

About Remitee

• Remitee is an international expanding organization with a vibrant culture that sets us apart. Our work environment is fast-paced and stimulating offering numerous opportunities for growth and development. If youre a self-starter who thrives in a collaborative and challenging environment we encourage you to apply. Our company values are fundamental to our daily operations. To succeed here youll need to embrace and live our company values.
• We build trust (Integrity and Transparency).
  We inspire through example fulfilling promises and communicating sincerely.
• We embrace diversity (Respect and Empathy).
  We listen and connect valuing diverse perspectives. We recognize achievements and efforts.
• We trust in the synergy that emerges from effort and collaboration (Teamwork).
  We forge authentic bonds through offering opportunities and sharing responsibilities.
• We focus on what is essential (Simplicity).
  We simplify complexity constructing effective solutions. We promote simple and accessible communication
• We create our best version (Excellence).
  We act with discipline and perseverance taking care of our physical and mental well-being. We live with passion and purpose in everything we do