Remote Senior Penetration Testing Security Engineer – Advanced Web/API & Embedded Device Vulnerability Research for Amazon Devices & Services

About Amazon Devices & Services Trust & Security (DSTS)

Amazon’s Devices & Services Trust & Security organization (DSTS) is the guardian of the digital safety behind millions of consumer experiences—from the voice that powers Alexa to the smart camera that watches over homes, from the Kindle that delivers books to the Ring doorbell that secures front‑door access. Since its inception in 2014, DSTS has built a reputation for relentless innovation, high‑impact security engineering, and a culture that thrives on curiosity, collaboration, and a deep sense of responsibility to protect our customers’ data and trust.

Our mission is simple yet profound: protect the privacy, security, and safety of every Amazon customer who interacts with any of our devices or services. To achieve this, we blend offensive security testing, threat modeling, automated tooling, and hands‑on hardware analysis. The work we do not only finds vulnerabilities – it builds the security foundations that future Amazon products will inherit.

Why This Role Matters

The Remote Senior Penetration Testing Security Engineer is the front‑line attacker‑mind in our security team. You will spearhead comprehensive security assessments across a sprawling ecosystem that includes web applications, RESTful APIs, embedded firmware, bootloaders, secure enclaves, and machine‑learning‑driven services. Your discoveries will directly influence product roadmaps, drive remediation across engineering teams, and ultimately keep millions of users safe.

Key Responsibilities

• Lead end‑to‑end penetration tests on Amazon devices, cloud services, and hybrid solutions, delivering high‑fidelity proof‑of‑concept exploits that demonstrate real‑world impact.
• Design and execute advanced vulnerability research using a toolkit that includes symbolic execution engines, fuzzers, static analysis platforms, custom scripts, and emerging machine‑learning techniques.
• Perform deep source‑code and binary analysis, combining automated scanners with manual inspection to uncover subtle logic flaws, insecure cryptographic implementations, and privilege‑escalation paths.
• Develop threat models for new product initiatives, mapping attack surfaces, identifying potential adversarial techniques, and providing strategic mitigation recommendations.
• Collaborate closely with builder teams (software, hardware, and product owners) to triage findings, prioritize remediation efforts, and track security improvements throughout the software development lifecycle (SDLC).
• Author comprehensive technical reports that detail vulnerability discovery, exploitation steps, business impact, and remediation guidance for both engineering stakeholders and senior leadership.
• Mentor junior pentesters and foster a knowledge‑sharing culture by organizing brown‑bag sessions, writing internal tooling documentation, and contributing to open‑source security projects where appropriate.
• Automate repetitive testing workflows by building reusable frameworks, CI/CD security integrations, and custom plugins that reduce manual effort and increase test coverage.
• Stay ahead of emerging threats by monitoring security research trends, participating in Capture‑The‑Flag (CTF) competitions, contributing to vulnerability databases (CVE/Bounty), and publishing findings at conferences or in internal whitepapers.

Essential Qualifications

• Minimum 5 + years of hands‑on experience identifying, exploiting, and remediating vulnerabilities in web applications, RESTful APIs, and service‑oriented architectures.
• Demonstrated expertise in hardware security fundamentals such as secure boot, JTAG/UART/SPI/I²C interfaces, firmware extraction, Trusted Execution Environments (TEE), side‑channel analysis, and privilege‑escalation tactics.
• Proven track record of threat modeling complex, multi‑component systems and proposing mitigations that balance security with product timelines.
• Hands‑on familiarity with major cloud platforms—preferably AWS—including IAM, Lambda, API Gateway, S3, and serverless security considerations.
• Academic background: Bachelor’s degree in Computer Science, Electrical Engineering, or related discipline, or equivalent professional experience.
• Active participation in CTF competitions, CVE research, or Bug Bounty programs with publicly disclosed findings or recognitions.
• Experience leveraging Machine Learning (ML) techniques for security testing, such as anomaly detection, automated exploit generation, or intelligent fuzzing.
• Publication record in security venues—conference talks, whitepapers, blog posts, or internal knowledge‑sharing artifacts.

Preferred (But Not Mandatory) Skills

• Proficiency in programming languages such as Python, Go, C/C++, Rust, or JavaScript for building custom exploit frameworks and automation scripts.
• Familiarity with security testing tools like Burp Suite, OWASP ZAP, Metasploit, AFL, LibFuzzer, Angr, or Binwalk.
• Experience with container security (Docker, Kubernetes) and orchestration‑level threat assessment.
• Knowledge of cryptographic standards, secure protocol design, and common implementation pitfalls.
• Past involvement with regulatory compliance frameworks (e.g., GDPR, CCPA, PCI‑DSS) that influence security posture.

Core Competencies & Personal Attributes

• Analytical mindset: Ability to dissect complex systems, trace data flows, and pinpoint subtle weaknesses.
• Creative problem‑solving: Inventive approach to building novel attack vectors and bypassing defenses.
• Clear communication: Translate technical findings into concise, actionable recommendations for engineers, product managers, and executives.
• Collaboration: Work seamlessly across distributed, cross‑functional teams in varied time zones.
• Ownership: Take responsibility for the full lifecycle of a security finding—from discovery through remediation verification.
• Continuous learning: Stay current on emerging attack techniques, security tools, and industry best practices.
• Ethical integrity: Uphold the highest standards of confidentiality, data protection, and responsible disclosure.

Career Growth & Learning Opportunities

Amazon invests heavily in the professional development of its security engineers. In this role, you will have access to:

• Cutting‑edge security labs equipped with the latest hardware, firmware, and cloud environments for hands‑on experimentation.
• Internal training programs covering advanced topics such as reverse engineering, secure software development, and AI‑driven security analytics.
• Mentorship pathways where senior engineers coach emerging talent and facilitate career‑progression tracks toward principal or architectural security leadership.
• Conference sponsorship for presenting research at DEF CON, Black Hat, RSA, or other premier venues.
• Rotational assignments across Amazon’s diverse security domains (e.g., Cloud, Retail, Healthcare, IoT) to broaden expertise.
• Innovation incubators that encourage the creation of new security tools, internal open‑source projects, or patents.

Work Environment & Culture

Our team embraces a remote‑first philosophy while maintaining a vibrant, collaborative culture:

• Global talent pool: Work alongside security professionals from across the world, bringing diverse perspectives to challenging problems.
• Flexible hours: Align your schedule with personal productivity peaks while remaining available for core US‑based meetings.
• Inclusive & equitable workplace: Amazon’s DEI initiatives ensure that every voice is heard, respected, and celebrated.
• Transparent communication: Regular all‑hands, scrum ceremonies, and open‑door policies foster trust and alignment.
• Community engagement: Internal hackathons, security‑focused brown‑bag talks, and volunteer opportunities keep the team energized.

Compensation, Perks & Benefits

Amazon offers a total‑compensation package designed to attract top security talent:

• Competitive base salary ranging from $143,300 to $247,600 annually, calibrated to geographic market and experience level.
• Performance‑based bonuses and equity awards that align personal success with company growth.
• Comprehensive health plans covering medical, dental, vision, and mental‑health resources.
• Retirement savings with company matching contributions.
• Generous paid time off, parental leave, and flexible work arrangements to support work‑life harmony.
• Learning stipend for certifications, courses, or conferences.
• Employee assistance programs that provide counseling, legal support, and financial guidance.
• Employee discount program granting access to Amazon devices, services, and partner offers.

Our Commitment to Diversity & Inclusion

Amazon believes that a diverse security team produces stronger, more innovative solutions. We actively seek candidates from all backgrounds, regardless of whether you meet every listed qualification. If you possess a growth mindset, a passion for hacking, and a desire to make a meaningful impact, we encourage you to apply.

Application Process

Ready to join a world‑class security team that protects the devices millions rely on every day? Follow these steps:

1. Prepare an updated résumé highlighting relevant penetration‑testing projects, CTF achievements, and publications.
2. Draft a concise cover letter describing why the Amazon Devices & Services ecosystem excites you and how your expertise aligns with the role.
3. Submit your application through the Amazon Careers portal or the provided external link.
4. If shortlisted, you will engage in a series of interview stages—including technical assessments, a live hacking exercise, and a culture‑fit discussion.
5. Upon a successful offer, you’ll begin onboarding into a supportive community where your curiosity is celebrated.

Don’t Hesitate – Apply Today!

Security is a constantly evolving battlefield, and Amazon needs bold, inventive minds to stay ahead of adversaries. Whether you are a seasoned pentester or an ambitious professional eager to deepen your expertise, this remote senior role offers the perfect platform to showcase your talents, influence product security at scale, and grow your career within one of the world’s most innovative companies.

Take the next step. Submit your application now and become part of the team that makes Amazon devices safer for every customer.