Staff Security Engineer - Penetration Tester

Are you ready to power the World's connections?

If you don’t think you meet all of the criteria below but are still interested in the job, please apply. Nobody checks every box - we’re looking for candidates that are particularly strong in a few areas, and have some interest and capabilities in others.

About the Role

We’re hiring our first in-house Penetration Tester to help us proactively identify and mitigate security risks across Kong’s products, infrastructure, and internal systems. This is a high-impact role where you’ll help define how offensive security is done at Kong.

As Kong’s first dedicated Penetration Tester, you’ll work closely with our Security, Platform, and Engineering teams to continuously test, challenge, and improve the security of our products and services.

You’ll conduct hands-on offensive security assessments, partner with engineers to remediate findings, and help establish scalable, repeatable security testing practices across a modern, cloud-native, open-source environment.

This role blends deep technical testing, strong collaboration, and real influence on how security is embedded into our engineering culture.

What You’ll Be Doing

• Perform penetration testing across:

• Web applications, APIs, and microservices

• Cloud infrastructure and Kubernetes environments

• CI/CD pipelines and internal tooling

• Identify, exploit, and clearly document security vulnerabilities and misconfigurations

• Work closely with engineering teams to validate findings, prioritize risk and support remediation efforts.

• Design and improve internal processes for continuous security testing, secure development practices and threat modeling and attack simulation

• Support third-party security assessments, bug bounty programs, and compliance efforts

• Help educate engineers on common attack vectors and defensive best practices

• Contribute to building a strong, security-first culture across Kong.

What You’ll Bring

• Proven experience in penetration testing, offensive security, or red teaming

• Strong understanding of:

• Web application and API security (OWASP Top 10)

• Authentication, authorization, and identity systems

• Cloud security concepts and shared responsibility models

• Hands-on experience testing modern, cloud-native systems

• Ability to clearly communicate security findings to technical and non-technical audiences

• A pragmatic mindset: focused on real risk reduction, not just theoretical issues

• Curiosity, ownership, and comfort working in a fast-moving, engineering-driven environment

Bonus Points

• Experience testing API gateways, service meshes, or distributed systems

• Familiarity with Kubernetes and container security

• Experience with open-source security tools or contributing to open-source projects

• Bug bounty participation or published research

• Experience working in a SaaS or enterprise software company

About Kong:

Kong Inc., a leading developer of cloud API technologies, is on a mission to enable companies around the world to become “API-first” and securely accelerate AI adoption. Kong helps organizations globally — from startups to Fortune 500 enterprises — unleash developer productivity, build securely, and accelerate time to market. For more information about Kong, please visit www.konghq.com or follow us on X @thekonginc.