Senior Security Researcher

Who We Are

Endor Labs is building the Application Security platform for the software development revolution. Modern software is complex and dependency-rich, making it increasingly difficult to pinpoint the risks that truly matter. Endor Labs solves this challenge by building a call graph of your entire software estate—enabling teams to clearly identify, prioritize, and fix critical risks faster.

Trusted by companies that are one or one hundred years old, Endor Labs secures code whether it was written by humans or AI, and whether it's 40-year old C++ code or cutting edge Bazel Monorepos. Endor Labs was founded by serial entrepreneurs Varun Badhwar and Dimitri Stiliadis, and is backed by leading VC firms such as Dell Technology Capital, Lightspeed, and Sierra Ventures.

What You’Ll Do

• The primary tasks of this position relate to the broad field of software vulnerability research, i.e. the discovery and evaluation of security vulnerabilities in first- and third-party software components. The focus clearly lies on application security, in contrast to network security, cryptography or other security fields.
• Specifically, the tasks comprise the development and extension of SAST rules to further increase the accuracy of our SAST solution and the coverage of programming languages and technologies. Closely related tasks include the development of ground-truth datasets as well as the development and automation of benchmark tooling and infrastructure.
• All those tasks require the close alignment with product development and customer success teams, and include the opportunity to participate in dissemination and communication efforts, e.g. through the writing of blog posts or technical reports/white-papers.

What We'Re Looking For

The following are must-have requirements for job candidates:

• Bachelor's degree in engineering with at least 5 years of experience in application security
• Hands-on experience with SAST triage and result review for different programming languages, working closely with development teams to validate and prioritize findings
• Hands-on experience authoring and tuning SAST rules to improve detection accuracy and reduce false positives
• Deep understanding of software weaknesses and vulnerabilities across programming languages, and related industry standards in the field (CVE, CWE, EPSS, etc.)
• Experience in configuring and operating security tooling (SCA, SAST, etc.), CI/CD scan automation and custom tool development (Go, Java, JS or Python)

Nice To Have

• Understanding of software supply chains and their attack surface
• Publicly reported 0-day vulnerabilities
• Experience in malware detection and analysis
• Security certification like OffSec Certified Professional (OSCP) or Certified Ethical Hacker (CEH)

At Endor Labs, We:

• Go to extraordinary lengths to distinguish ourselves through world-class work.
• Prioritize quality over speed, and speed over scope.
• Desire working with deeply kind, mission-driven people.
• Strive to make the complex simple.
• Use first principles to debate ideas, test assumptions, and make decisions.
• Seek the truth by putting data above opinions.
• Assume good intent and give tactical feedback to help each other get better.
• Hold no ego—when our customers win, we all win.