Offensive, defensive Security Engineer AI Agent-Full time Hire--ONSITE-Ontario, Canada

Offensive Security Engineer AI Agent

Location : Toronto, Ontario, Canada - Hybrid 4 Days Onsite

Requirements: - 10+ years hands-on experience across software engineering, offensive security, and defensive security at a principal engineer level, with demonstrated personal contributions to production codebases and published vulnerability research or penetration testing engagements.

- Advanced technical proficiency in multiple programming language (Java, C#, C, C++, Python, JavaScript/TypeScript, .NET, Go) with proven ability to personally write, review, and remediate production code.

- Deep fluency in vulnerability classes including memory safety, injection authentication and authorization flaws, cryptographic misuse, deserialization, race conditions, and supply chain attacks, with hands-on experience finding and exploiting each.

- Extensive hands-on experience with penetration testing, red teaming, exploit development, reverse engineering, and secure code review against OWASP Top 10 and SANS 25 , combined with defensive engineering experience building detection and remediation capabilities.

- Extensive hands-on experience with application security testing tools (SAST, DAST, IAST, SCA), including tuning, false positive analysis, exemption workflow design, and enterprise vulnerability management at scale.

- Deep technical fluency with agentic AI coding tools and frameworks (Claude, Devin, Copilot, Windsurf, Cursor, MCP_, including prompt engineering, agent orchestration, reusable skill and tool design, guardrail design, and evaluation.

- Strong architectural knowledge of modern CI.CD, container platforms (Docker, Kubernetes), cloud-native deployment patterns, and integration of security automation into developer workflows.

Preferred, but not required: - Relevant security certifications (OSCP, OSCE, OSEP, GXPN, GWAPT, CISSP, or equivalent).

- Experience in financial services or highly regulated industries with exposure to SOX, SOC1, and regulatory audit.

- Public evidence of offensive capability: published CVEs, bug bounty track record, conference talks (DEFCON, Black Hat, Offensive Con, Recon), CTF placements, or open-source security tooling contributions.

- Hands-on experience with enterprise vulnerability tooling (Tenable, Aqua, Snyk, BrightSec) and remediation at scale.

- Demonstrated ability to advise senior technology leaders and deliver within complex, multi-stakeholder enterprise environments.

Responsibilities: - Architect and operationalize the end-to-end agentic AI patching pipeline spanning detection, fix generation, automated testing, and release across SAST, DAST, SCA, IAST, container, and server vulnerabilities.

- Use frontier AI models to discover novel vulnerabilities in production application and infrastructure code, develop proof-of-concept exploits, and validate that AI-generated fixes close the underlying root cause.

- Build and maintain the library of reusable AI skills, prompts, evaluation harness, and tooling that power agentic vulnerability discovery, triage, remediation, false positive analysis, and exemption workflows at scale.

- Design and operationalize AI-driven false positive analysis and exemption processes to reduce manual triage burden and surface only actionable findings to development teams.

- Conduct hands-on penetration testing and red team exercise against critical applications and infrastructure to validate defensive controls and agent-generated remediations.

- Extend agentic remediation coverage across SAST, SCA, DAST, IAST, container, and server vulnerabilities, including the data and tooling needed to connect findings back to source.

- Design agent prompting, guardrails, evaluation frameworks, and appropriate human-in-the-loop controls to ensure safe autonomous code changes, testing, and deployment.

- Drive integration of agentic remediation into enterprise CI/CD pipelines (Github, Jenkins, etc.) across the deployment landscape.

- Communicate technical design, risk trade-offs, and delivery progress clearly to senior stakeholders including CIO, CISO, 2LOD, and Audit functions.