WAF Adversarial Engineer

MW Partner

Job Location:

Seattle, OR - USA

Monthly Salary: Not Disclosed

Posted on: 11 days ago

Vacancies: 1 Vacancy

Job Summary

MW Partners is currently seeking a WAF Adversarial Engineer to work for our client who is a global leader in multimedia and creativity software products.

Responsibilities and duties:

Run adversarial test campaigns against WAF stack (Akamai AWS WAF Fastly and Cloudflare) after each rule update cycle.
Target encoding evasion HTTP parsing differentials between WAF and origin request smuggling chunked encoding manipulation multipart boundary abuse Unicode normalization gaps and logic layer bypasses.
Build and maintain a versioned WAF bypass library organized by vulnerability class (SQLi XSS SSRF path traversal SSTI etc.) validated against staging and production WAF configurations and updated as platforms and rules evolve.
Conduct adversarial testing of API endpoints behind the WAF including business logic abuse BOLA/BFLA mass assignment and parameter manipulation. Document explicitly which classes of attack the WAF can and cannot reliably cover.
Triage complex false positive investigations that cannot be resolved through log analysis alone - reproduce the ambiguous traffic from the attacker side and recommend targeted rule adjustments.
Produce concise validation reports that translate offensive findings into testable rule candidates the team can refine and deploy. Each deliverable is a reproducer plus a rule recommendation not a bypass confirmed note.
Provide adversarial perspective during active edge incidents - likely attacker behavior blind spots next probable moves.
Operate as the continuous validation function for the WAF program integrated with the teams rule update cadence rather than running standalone pentest engagements.

Requirements:

Bachelors degree in Computer Science Computer Engineering Information Security or a related technical field or equivalent demonstrated experience.
Demonstrated WAF bypass experience against at least two commercial WAF platforms (Akamai AWS WAF Fastly or Cloudflare).
Deep working knowledge of HTTP protocol edge cases that affect WAF inspection: request smuggling primitives chunked transfer encoding abuse multipart boundary manipulation Unicode normalization differentials and header injection patterns.
Web application penetration testing track record with WAF-specific scope. OSCP BSCP OSWE or a portfolio of disclosed bypasses conference talks or prior validation engagements against WAF-protected assets. Tool-running alone does not qualify. - Proven ability to translate offensive findings into defensive artifacts - reproducer plus rule candidate not just a finding.
Strong scripting in Python or Go for building test harnesses payload generators and replay tooling.
Comfortable working in CI/CD pipelines and cloud environments (AWS or Azure). Plug into existing infrastructure rather than build it.

Preferred Skills:

API-specific attack surface depth: GraphQL injection BOLA/BFLA mass assignment.
Akamai platform internals: KRS / ASE rule engine custom Lua / EdgeWorkers exposure.
Bot evasion at the behavioral layer: headless browser fingerprinting bypass behavioral mimicry.
Familiarity with edge-layer LLM/GenAI guardrails (OWASP LLM Top 10 prompt injection mitigation at the WAF tier).
Public security research CVE disclosures or conference talks demonstrating original bypass work.

For a further discussion or to find out more contact Indu Sri Lakavath on or apply now.

MW Partners is currently seeking a WAF Adversarial Engineer to work for our client who is a global leader in multimedia and creativity software products. Responsibilities and duties: Run adversarial test campaigns against WAF stack (Akamai AWS WAF Fastly and Cloudflare) after each rule update cycle...

MW Partners is currently seeking a WAF Adversarial Engineer to work for our client who is a global leader in multimedia and creativity software products.

Responsibilities and duties:

Run adversarial test campaigns against WAF stack (Akamai AWS WAF Fastly and Cloudflare) after each rule update cycle.
Target encoding evasion HTTP parsing differentials between WAF and origin request smuggling chunked encoding manipulation multipart boundary abuse Unicode normalization gaps and logic layer bypasses.
Build and maintain a versioned WAF bypass library organized by vulnerability class (SQLi XSS SSRF path traversal SSTI etc.) validated against staging and production WAF configurations and updated as platforms and rules evolve.
Conduct adversarial testing of API endpoints behind the WAF including business logic abuse BOLA/BFLA mass assignment and parameter manipulation. Document explicitly which classes of attack the WAF can and cannot reliably cover.
Triage complex false positive investigations that cannot be resolved through log analysis alone - reproduce the ambiguous traffic from the attacker side and recommend targeted rule adjustments.
Produce concise validation reports that translate offensive findings into testable rule candidates the team can refine and deploy. Each deliverable is a reproducer plus a rule recommendation not a bypass confirmed note.
Provide adversarial perspective during active edge incidents - likely attacker behavior blind spots next probable moves.
Operate as the continuous validation function for the WAF program integrated with the teams rule update cadence rather than running standalone pentest engagements.

Requirements:

Bachelors degree in Computer Science Computer Engineering Information Security or a related technical field or equivalent demonstrated experience.
Demonstrated WAF bypass experience against at least two commercial WAF platforms (Akamai AWS WAF Fastly or Cloudflare).
Deep working knowledge of HTTP protocol edge cases that affect WAF inspection: request smuggling primitives chunked transfer encoding abuse multipart boundary manipulation Unicode normalization differentials and header injection patterns.
Web application penetration testing track record with WAF-specific scope. OSCP BSCP OSWE or a portfolio of disclosed bypasses conference talks or prior validation engagements against WAF-protected assets. Tool-running alone does not qualify. - Proven ability to translate offensive findings into defensive artifacts - reproducer plus rule candidate not just a finding.
Strong scripting in Python or Go for building test harnesses payload generators and replay tooling.
Comfortable working in CI/CD pipelines and cloud environments (AWS or Azure). Plug into existing infrastructure rather than build it.

Preferred Skills:

API-specific attack surface depth: GraphQL injection BOLA/BFLA mass assignment.
Akamai platform internals: KRS / ASE rule engine custom Lua / EdgeWorkers exposure.
Bot evasion at the behavioral layer: headless browser fingerprinting bypass behavioral mimicry.
Familiarity with edge-layer LLM/GenAI guardrails (OWASP LLM Top 10 prompt injection mitigation at the WAF tier).
Public security research CVE disclosures or conference talks demonstrating original bypass work.

For a further discussion or to find out more contact Indu Sri Lakavath on or apply now.