WAF Adversarial Engineer

Benefits Youll Love

NextDeavor offers health vision and dental benefits for contract employees Paid sick leave eligibility is contingent on state of residence Optional 401k Plan (excludes employer match) Opportunity to get your foot in the door at a well-established corporation with potential for extended or permanent full-time employment

Become a Key Player as a WAF Adversarial Engineer

You will validate and harden the clients web application firewall (WAF) program by running continuous adversarial testing and translating offensive findings into actionable rule candidates. Your work will influence edge security incident response and rule-deployment cadence across the security and engineering teams. This role is hybrid/remote with Seattle preferred and open to remote candidates.

Heres How Youll Make an Impact on the Team

• Run adversarial test campaigns against the clients WAF stack after each rule update cycle targeting encoding evasion HTTP parsing differentials request smuggling and other edge-layer weaknesses.
• Build and maintain a versioned WAF bypass library organized by vulnerability class (e.g. SQLi XSS SSRF path traversal SSTI) and validate against staging and production WAF configurations.
• Conduct adversarial testing of API endpoints behind the WAF (business logic abuse BOLA/BFLA mass assignment parameter manipulation) and document which attack classes the WAF can and cannot reliably cover.
• Triage complex false positives by reproducing ambiguous traffic from the attacker side and recommending targeted rule adjustments.
• Produce concise validation reports that deliver a reproducer plus a rule recommendation suitable for refinement and deployment.
• Provide adversarial perspective during active edge incidents identifying likely attacker behavior blind spots and next probable moves.
• Integrate continuous validation into the teams rule update cadence rather than running standalone penetration tests.

Heres What Youll Need to Be Successful in This Role

• Demonstrated WAF bypass experience against at least two commercial WAF platforms (e.g. Akamai AWS WAF Fastly Cloudflare).
• Deep working knowledge of HTTP protocol edge cases affecting WAF inspection: request smuggling primitives chunked transfer encoding abuse multipart boundary manipulation Unicode normalization differentials and header injection patterns.
• Proven web application penetration testing track record with WAF-specific scope; tool-running alone does not qualify.
• Certifications or demonstrated outputs such as OSCP BSCP OSWE or a portfolio of disclosed bypasses conference talks or prior validation engagements.
• Strong scripting skills in Python or Go for building test harnesses payload generators and replay tooling.
• Comfortable working in CI/CD pipelines and cloud environments (AWS or Azure) and integrating with existing infrastructure.
• Bachelors degree in Computer Science Computer Engineering Information Security or a related technical field or equivalent demonstrated experience.

Heres What Else Might Help You Out

• Deep API-specific attack knowledge: GraphQL injection BOLA/BFLA mass assignment.
• Familiarity with Akamai internals (KRS / ASE rule engine custom Lua / EdgeWorkers).
• Experience with bot evasion techniques at the behavioral layer (headless browser fingerprinting bypass behavioral mimicry).
• Familiarity with edge-layer LLM/GenAI guardrails and prompt injection mitigation at the WAF tier.
• Public security research CVE disclosures or conference talks demonstrating original bypass work.

Pay Range

$56.34 - $70.42/hour

Ready to Make Your Mark

This role may fill quickly. Submit your resume to be considered.

Apply with Pioneers here