Penetration Tester||Immediate Joiner||

VFX AI is building the next-generation AI-native video platform for enterprises and creators. Our platform enables users to upload, edit, enhance, and intelligently analyze video/audio through advanced AI agents. We support multi-tenant workspaces, enterprise-grade access control, and integrations like SSO, SCIM, and AI-powered video intelligence. Were preparing for SOC 2 Type II and GDPR compliance and are seeking an experienced Penetration Tester to identify and help resolve potential vulnerabilities in our system. Responsibilities: Conduct black-box and gray-box penetration testing of our: Web application (Next.js) REST and GraphQL APIs (FastAPI + NestJS) File upload and media pipelines Cloud infrastructure (AWS: S3, EC2, RDS, Redis, VPC) SSO, SCIM, and RBAC access control flows Simulate real-world attack scenarios to uncover: OWASP Top 10 vulnerabilities Multi-tenant access control issues AI/ML injection or misuse pathways Storage or media-processing vulnerabilities Analyze security of AI agent orchestration endpoints and 3rd-party integrations (e.g., TwelveLabs) Identify misconfigurations in IAM roles, S3 bucket policies , and cloud networking Produce detailed technical reports with: Vulnerability descriptions CVSS severity scores Reproduction steps and recommended mitigations Collaborate with engineering teams to validate and prioritize fixes Optionally provide a SOC 2-aligned attestation letter and retesting Required Qualification: 3+ years of hands-on penetration testing experience. Deep understanding of: Web & API security (OWASP Top 10, JWT, CSRF, SSRF, IDOR) AWS security (IAM, S3, EC2, VPC, Secrets Manager) Multi-tenant architecture and RBAC testing File upload, MIME spoofing, and media injection risks Experience with: Pen testing tools (Burp Suite, Postman, Nmap, Trivy, AWS Inspector) Exploiting authentication systems (SSO, SCIM, OAuth, OIDC) Familiarity with AI/ML threat vectors (prompt injection, model abuse) Ability to document findings clearly for technical and non-technical stakeholders Optional: SOC 2 or ISO 27001 audit collaboration experience Preferred Certifications: OSCP, OSWE, CEH, CREST, or equivalent AWS Security Specialty (a plus) What We Offer What We Offer: Opportunity to shape the security posture of a fast-growing AI SaaS product Potential long-term security consulting engagement post-test Access to our engineering and DevSecOps team for collaboration.