RXO
Application Security & Red Team - Lead Engineer, Information Security
RXO, Chicago, Illinois, United States, 60290
Overview
Accelerate your career at RXO.
RXO is a leading provider of transportation solutions. With cutting-edge technology at the center, we\'re revolutionizing the industry with our massive network and commitment to finding solutions for every challenge. We create more efficient ways for shippers and carriers to transport goods across North America.
Compensation Compensation range for this role is $120-145K
Role Application Security & Red Team | Lead Engineer, Information Security
As a Lead Ethical Hacker on the Threat and Vulnerability Management team at RXO, you\'ll play a critical role in driving offensive security engagements—specifically focusing on application security, web application testing, and red teaming. You will perform in-depth assessments of applications and cloud environments to identify security risks and help build a more secure enterprise.
What your day-to-day will look like
Run investigations gathering key information about application architectures, APIs, and code flows to support effective testing and offensive security engagements
Conduct detailed application-layer penetration testing of web, mobile, API, and containerized applications—targeting OWASP Top 10 risks, business logic flaws, input validation, and authenticated scenarios such as role-based access control
Simulate real-world attacks targeting applications, APIs, and business logic to demonstrate risk through exploitation and lateral movement within application ecosystems
Determine the potential impact of exploiting application-level vulnerabilities and misconfigurations that could lead to unauthorized access or data exfiltration
Lead research into new web application vulnerabilities, cloud-native threats, and evolving attack vectors used against modern application stacks
Review and verify findings from peers, focusing on validating web application and API vulnerabilities and identifying false positives
Brainstorm, strategize, and plan multi-phase Red Team engagements with an application-first mindset—emulating adversaries targeting application entry points
Document and communicate findings in a way that aligns with development and DevSecOps teams, providing clear remediation steps rooted in secure coding practices
What you\'ll need to excel At a minimum, you\'ll need:
Bachelor\'s degree or equivalent related work or military experience
4 years of experience in information security and systems
It\'d be great if you also have:
Experience working with AI and machine learning systems, including assessing the security of AI/ML-based applications, models, and pipelines, and identifying vulnerabilities across these environments.
One or more offensive security certification(s) such as OSCP, OSCE, GWAPT, GPEN, eWPT, eCPPT, etc.
Strong experience in web application penetration testing and application-layer attack techniques
Hands-on experience with Burp Suite Pro, OWASP ZAP, Postman, SQLMap, and similar tools; Familiarity with .NET and Java-based web applications, including secure coding and common vulnerabilities
Experience testing cloud-based environments (AWS, Azure, GCP), especially in containerized or serverless architectures
Solid understanding of OWASP Top 10, OWASP ASVS, and secure software development lifecycles
Proficiency in scripting and automation using Python, PowerShell, or Bash
Familiarity with frameworks such as MITRE ATT&CK, Cyber Kill Chain, etc.
Experience with Red Team tools like Cobalt Strike, Core Impact, and advanced simulation frameworks
The Next Step Ready to join our team? We'd love to hear from you. Fill out an application now and join our talent community to learn about future opportunities.
Equal Opportunity We are proud to be an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.
All applicants who receive a conditional offer of employment may be required to take and pass a pre-employment drug test.
The above statements are not an exhaustive list of all required responsibilities, duties and skills for this job classification.
Review RXO\'s candidate privacy statement here and RXO\'s Privacy Notice to California Job Applicants here.
#J-18808-Ljbffr
RXO is a leading provider of transportation solutions. With cutting-edge technology at the center, we\'re revolutionizing the industry with our massive network and commitment to finding solutions for every challenge. We create more efficient ways for shippers and carriers to transport goods across North America.
Compensation Compensation range for this role is $120-145K
Role Application Security & Red Team | Lead Engineer, Information Security
As a Lead Ethical Hacker on the Threat and Vulnerability Management team at RXO, you\'ll play a critical role in driving offensive security engagements—specifically focusing on application security, web application testing, and red teaming. You will perform in-depth assessments of applications and cloud environments to identify security risks and help build a more secure enterprise.
What your day-to-day will look like
Run investigations gathering key information about application architectures, APIs, and code flows to support effective testing and offensive security engagements
Conduct detailed application-layer penetration testing of web, mobile, API, and containerized applications—targeting OWASP Top 10 risks, business logic flaws, input validation, and authenticated scenarios such as role-based access control
Simulate real-world attacks targeting applications, APIs, and business logic to demonstrate risk through exploitation and lateral movement within application ecosystems
Determine the potential impact of exploiting application-level vulnerabilities and misconfigurations that could lead to unauthorized access or data exfiltration
Lead research into new web application vulnerabilities, cloud-native threats, and evolving attack vectors used against modern application stacks
Review and verify findings from peers, focusing on validating web application and API vulnerabilities and identifying false positives
Brainstorm, strategize, and plan multi-phase Red Team engagements with an application-first mindset—emulating adversaries targeting application entry points
Document and communicate findings in a way that aligns with development and DevSecOps teams, providing clear remediation steps rooted in secure coding practices
What you\'ll need to excel At a minimum, you\'ll need:
Bachelor\'s degree or equivalent related work or military experience
4 years of experience in information security and systems
It\'d be great if you also have:
Experience working with AI and machine learning systems, including assessing the security of AI/ML-based applications, models, and pipelines, and identifying vulnerabilities across these environments.
One or more offensive security certification(s) such as OSCP, OSCE, GWAPT, GPEN, eWPT, eCPPT, etc.
Strong experience in web application penetration testing and application-layer attack techniques
Hands-on experience with Burp Suite Pro, OWASP ZAP, Postman, SQLMap, and similar tools; Familiarity with .NET and Java-based web applications, including secure coding and common vulnerabilities
Experience testing cloud-based environments (AWS, Azure, GCP), especially in containerized or serverless architectures
Solid understanding of OWASP Top 10, OWASP ASVS, and secure software development lifecycles
Proficiency in scripting and automation using Python, PowerShell, or Bash
Familiarity with frameworks such as MITRE ATT&CK, Cyber Kill Chain, etc.
Experience with Red Team tools like Cobalt Strike, Core Impact, and advanced simulation frameworks
The Next Step Ready to join our team? We'd love to hear from you. Fill out an application now and join our talent community to learn about future opportunities.
Equal Opportunity We are proud to be an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.
All applicants who receive a conditional offer of employment may be required to take and pass a pre-employment drug test.
The above statements are not an exhaustive list of all required responsibilities, duties and skills for this job classification.
Review RXO\'s candidate privacy statement here and RXO\'s Privacy Notice to California Job Applicants here.
#J-18808-Ljbffr