Senior Application Security Engineer (Offensive / Red Team)

Senior Application Security Engineer (Offensive / Red Team)

At Shutterfly, we make life's experiences unforgettable. We believe there is extraordinary power in the self-expression. That's why our family of brands helps customers create products and capture moments that reflect who they uniquely are.

This is an exciting time for Shutterfly, and we are looking for a Senior Application Security Engineer (Offensive / Red Team) to join our team. In this role you will help shape an evolving offensive security practice, leading Red Team engagements against Shutterfly's critical applications while partnering closely with our Blue Team throughout each engagement to produce Purple Team outcomes — stronger detections, faster response, and measurably improved defenses. We're looking for someone who is as passionate about uncovering and exploiting a vulnerability as they are about working alongside defenders to make sure it can be detected, contained, and remediated. Just as important, you'll partner with developers and engineering teams to educate them on how to prevent and avoid vulnerabilities in the first place, and guide them on how to fix issues once identified. Your focus will be on building an offensive security capability that strengthens the entire security program, with collaboration between offense, defense, and engineering at its core. Note: We are unable to provide any visa sponsorship for this position at this time.

What You'll Do Here:

• Red Team Operations: Plan and lead offensive engagements against Shutterfly's applications and supporting infrastructure using established offensive and testing techniques — manual web penetration testing, exploitation, fuzzing, and adversary emulation supported by industry-standard offensive tooling — and coordinate with third-party testers when engagements call for it.
• Purple Team Collaboration: Work hand-in-hand with the Blue Team throughout every engagement. Share tactics, techniques, and procedures in real time, validate and improve detection and alerting coverage, run collaborative exercises, and convert offensive findings into concrete defensive improvements.
• AI-Driven Offensive Security: Augment conventional offensive techniques with AI and LLM-based tooling to accelerate and extend offensive and testing work — reconnaissance, payload and test-case generation, code and configuration review, and exploitation.
• Maintain a working understanding of how threat actors are weaponizing AI, and fold that knowledge into engagements and defensive recommendations to keep pace with a rapidly changing threat landscape.
• Bug Bounty Program Management: Manage the bug bounty program end to end — triage, impact assessment, risk scoring (CVSS), locating vulnerable code, providing mitigation guidance, thorough re-testing, and refining program policy and scope as needed.
• Vulnerability Management: Identify, triage, and drive remediation of application vulnerabilities through manual testing and exploitation, escalating systemic issues to the appropriate engineering teams.
• Threat Modeling & Risk Assessment: Lead threat modeling exercises and perform risk assessments for new and existing applications, using offensive insight to prioritize the risks that matter most.
• Incident Response: Collaborate with incident response and Blue Team partners to investigate application-related security incidents, applying offensive expertise to scope, reproduce, and understand attacker activity.
• Secure SDLC: Help define and reinforce secure development practices, including code reviews and integration of security checks into the CI/CD pipeline.
• Code Review: Perform and lead security reviews of critical PRs and code changes, and review code in most major languages.
• Security Architecture & Design: Partner with engineering and architecture teams to advise on secure systems and applications design, ensuring security is built in from the ground up.
• Subject Matter Expertise: Serve as a top technical resource to engineers across the organization. Help them reproduce vulnerabilities, understand impact, document issues, and validate the effectiveness of fixes.
• Mentorship & Leadership: Mentor junior security engineers and developers on offensive techniques, secure coding practices, and security principles. Build relationships with stakeholders and business leaders across the organization.
• Cross-Functional Collaboration: Work closely with product, engineering, DevOps, defensive security, and compliance teams to align security with business goals.
• Continuous Improvement: Maintain up-to-date knowledge of relevant offensive techniques, threats, mitigations, security best practices, and the evolving role of AI in both offensive operations and adversary activity.
• Security Tooling: Make effective use of the existing security tooling stack (e.g., SAST, SCA, DAST, IAST) to support offensive and defensive work.

Required Qualifications:

• Bachelor's degree in computer science, cybersecurity, or a related technical field, or comparable hands-on experience in lieu of a degree.
• Demonstrated experience leading or performing offensive security work, such as web application penetration testing or Red Team engagements, with hands-on proficiency in conventional offensive and testing techniques and industry-standard offensive tooling. Hands-on experience using AI/LLM tools for offensive security or testing, with an understanding of how threat actors are leveraging AI in a rapidly evolving threat landscape.
• Proficient in one modern programming language (preferably Java) and able to review code in most major languages.
• Strong analytical and problem-solving abilities with a risk-based security approach.
• Advanced user of Burp Suite Pro; bonus if you have created custom extensions in Java or Python or have used or modified existing extensions.
• Excellent communication and collaboration skills, with the ability to work across offensive and defensive teams, IT, engineering, and business stakeholders.

Preferred Qualifications:

• Experience running Purple Team exercises or otherwise collaborating directly with defensive/Blue Team functions to improve detection and response.
• Full stack web development experience within an active security program.
• Experience managing a bug bounty program.
• A security certification that demonstrates proficiency in offensive security, network/web/mobile/AD assessments, secure coding, and professional report creation (for example: OSCP, OSEP, CRTO, OSWA, OSWE, GWAPT, GWEB).
• Submitted reports to bug bounty programs or VDPs, and you've found a CVE along the way.
• Strong command-line and scripting skills (bash, zsh, Python) on Linux and Mac.
• Enjoy attending security conferences and occasionally participate in CTFs.
• Spend time on cyber security training platforms (HackTheBox, TryHackMe).
• Have worked with engineering teams to develop secure code libraries.
• Capable of rapidly learning and integrating emerging tools and platforms with minimal supervision.

Supporting a diverse and inclusive workforce is important to Shutterfly not only because it directly reflects our value of Embracing our Differences, but also because it's the right thing to do for our business and for our people. We welcome all applicants and evaluate them based on their qualifications. Learn more about our commitment to Diversity, Equity, and Inclusion on our Career Site.

The compensation package for this role is based on multiple factors, such as job level, responsibilities, location, and candidate experience. The base pay ranges included below are specific to the locations listed, and may not be applicable to other locations.

California : [$128,000-181,250]

Connecticut and New York: [$128,000-165,750]

Colorado, Illinois, Minnesota and Washington: [$128,000-153,000]

Nevada: [$120,250-165,750]

Maryland and New Jersey: [$138,250-165,750]

Hawaii : [$120,250-144,750]

This position may be eligible for a bonus incentive, health benefits, a 401K program, and other employee perks. More details about our company benefits can be found at

This opportunity can be remote, but candidates must reside in a state in which Shutterfly is registered to do business. This includes all US states except District of Columbia, North Dakota, Mississippi, Rhode Island, Vermont, and Wyoming.

This position will accept applications on an ongoing basis until filled.

#SFLYTechnology