About the Role
Remitee is a rapidly expanding fintech company specializing in international payments and cross-border remittances across Latin America .
We are looking for a Penetration Testing Specialist to join our Cybersecurity team. You will own offensive security at Remitee: running assessments across web, mobile, API, cloud, and internal network, embedding with engineering squads as an AppSec partner, and building programs (threat modeling, bug bounty, purple teaming) that make the whole organization more secure. This is a hands-on technical role with direct visibility to leadership.
Key Responsibilities
Plan and execute penetration tests across web applications, mobile (iOS/Android), APIs, cloud infrastructure, and internal networks, following PTES, OWASP WSTG, OWASP MASTG, OWASP API Security Top 10, OWASP ASVS, and NIST.
Maintain versioned, reproducible, and auditable checklists by target type, covering IAM, role-based authorization, idempotency, rate limiting, error handling, and information exposure.
Conduct application security code reviews in backend codebases: input validation, authorization flaws (BOLA/IDOR), financial logic bugs (decimal precision, rounding, conversions), concurrency, idempotency, webhook signatures, and secrets handling.
Operate and tune the AppSec toolchain integrated into the SDLC: SAST, DAST, SCA, secrets scanning, and IaC scanning.
Design and maintain a threat modeling program (STRIDE / PASTA / LINDDUN) for critical product features.
Audit OAuth 2.0 / OIDC / JWT implementations for algorithm confusion, replay attacks, refresh token rotation, PKCE, and claim validation (iss/aud/exp).
Perform deep API security testing: BOLA/BFLA, mass assignment, rate limiting, idempotency, race conditions, and signed webhooks.
Secure partner integrations: CSP, frame-ancestors, postMessage, CORS, SameSite, and sandboxing.
Hunt for business logic vulnerabilities with direct economic impact: double-spend, transaction replay, race conditions, negative amounts, overflow/underflow, limit bypass, rounding manipulation, and reused idempotency keys.
Build AI-assisted workflows for recon, triage, PoC generation, code review, and directed fuzzing. Apply OWASP Top 10 for LLM and MITRE ATLAS when assessing product features with generative AI.
Write executive and technical reports with CVSS v4 severity, business impact, reproducible PoCs, and actionable remediation. Track findings to closure with SLAs by severity.
Generate auditable evidence for ISO 27001, BCRA, and partner due diligence processes. Present findings to engineering squads, CTO, CISO, and the risk committee.
Embed with squads as a security partner: design reviews, pair reviews, and mentoring on secure coding.
Design purple team exercises with SecOps, run internal CTFs and bug bashes, and maintain a bug bounty program.
Must Have
4+ years in pentesting or application security, with hands-on experience assessing production systems.
Previous experience as an in-house pentester or AppSec engineer on a live product.
Development background: able to read and reason through code independently in at least 2 languages (Python, .NET, Node/TypeScript, or Java).
Documented, systematic methodology: PTES, OWASP WSTG / MASTG / ASVS, OWASP API Top 10.
Strong command of OAuth 2.0 / OIDC / JWT and their known attacks (algorithm confusion, replay, key confusion, claim validation).
Deep API security experience: BOLA/BFLA, mass assignment, rate limiting, idempotency, race conditions, signed webhooks.
Full web pentesting coverage: OWASP Top 10, SSRF, deserialization, template injection, prototype pollution, and related.
Mobile pentesting: Frida, Objection, MobSF, SSL pinning bypass, hooking, static and dynamic analysis.
Cloud security in at least one major cloud (Azure and/or AWS): IAM, privilege abuse, secrets in pipelines, storage exposure.
Active, intentional use of AI with your own workflows and awareness of associated risks (sensitive data, hallucinations).
Excellent written communication: your reports are auditable deliverables.
Nice to Have
Experience in fintech, payments, or other regulated environments.
Familiarity with BCRA regulations or other Latin American financial compliance frameworks.
Participation in or management of a bug bounty program (HackerOne, Bugcrowd, or similar).
Contributions to open source security tooling.
Relevant certifications (OSCP, CRTO, GPEN, or similar).
Experience with purple team exercises or red team operations.
About Remitee
Remitee is an international, expanding organization with a vibrant culture that sets us apart. Our work environment is fast-paced and stimulating, offering numerous opportunities for growth and development. If you're a self-starter who thrives in a collaborative and challenging environment, we encourage you to apply. Our company values are fundamental to our daily operations. To succeed here, you'll need to embrace and live our company values.
We build trust (Integrity and Transparency).
We inspire through example, fulfilling promises, and communicating sincerely.
We embrace diversity (Respect and Empathy).
We listen and connect, valuing diverse perspectives. We recognize achievements and efforts.
We trust in the synergy that emerges from effort and collaboration (Teamwork).
We forge authentic bonds through offering opportunities and sharing responsibilities.
We focus on what is essential (Simplicity).
We simplify complexity, constructing effective solutions. We promote simple and accessible communication
We create our best version (Excellence).
We act with discipline and perseverance, taking care of our physical and mental well-being. We live with passion and purpose in everything we do