Permanent
On-siteCompany Description
It was in 2006, with little capital but a pocketful of belief, our CEO, Raisul Kabir, started Brain Station 23, a software company, right after graduating from BUET. The new company initially focused on the international market, with the local market added in 2010. Since then, the company has shown continuous growth and currently employs over 800+ professionals. Brain Station 23 is now not only an established name in Bangladesh but also in countries like the USA, UAE, Malaysia, UK, Netherl... Read more
Skills
Description
Brainstation-23 is looking for a Associate Security Engineer who lives and breathes offensive security — someone who has genuinely earned their skills through hands-on practice, not paper credentials. In this role, you will execute penetration testing engagements across web applications, RESTful and GraphQL APIs, and (optionally) mobile platforms, applying black-box, gray-box, and white-box methodologies to uncover vulnerabilities that automated scanners and checklist-driven testers consistently miss.
You will work directly with clients and internal teams across the entire engagement lifecycle — from pre-sales scoping and effort estimation, through active exploitation and reporting, to remediation support and re-testing alongside development and DevSecOps teams. Beyond delivery, you will contribute to Brainstation-23's internal security capability by sharing research, refining playbooks, and helping evolve our testing methodologies as new threats and techniques emerge.
Job Responsibilities
- Pre-Sales Engagement Support — Assist the sales and business development teams during pre-sales activities for penetration testing engagements, including scoping discussions, effort estimation, technical proposal preparation, and client consultation calls.
- Client Web Application Penetration Testing — Plan, execute, and deliver comprehensive penetration testing engagements on client web applications, identifying vulnerabilities, validating exploitability, and providing clear remediation guidance through professional reports.
- Multi-Methodology Security Testing — Perform black-box, gray-box, and white-box penetration testing across a range of targets, including:
- Web applications
- RESTful and GraphQL APIs
- Mobile applications on Android and iOS (optional, based on project needs)
- Vulnerability Identification & Validation — Discover, exploit, and document security weaknesses aligned with industry-standard frameworks such as the OWASP Top 10, OWASP API Security Top 10, and OWASP Mobile Top 10.
- Remediation & Re-Testing Support — Collaborate closely with development and DevSecOps teams throughout the remediation lifecycle, providing technical guidance, validating fixes, and conducting re-tests to confirm vulnerabilities have been properly resolved.
- Creative & Adversarial Thinking — Go beyond traditional testing checklists by adopting an attacker's mindset — exploring business logic flaws, chained exploits, and unconventional attack paths that automated tools and standard methodologies often miss.
- Research & Internal Enablement — Actively track emerging threats, newly disclosed CVEs, and evolving attack techniques across web and mobile ecosystems, and apply those insights to continuously improve Brainstation-23's internal penetration testing playbooks, methodologies, and checklists.
Requirements
- Hands-On Offensive Security Experience — 2–4 years of professional penetration testing experience covering web applications, RESTful/GraphQL APIs, and ideally mobile platforms (Android/iOS), with practical command of black-box, gray-box, and white-box methodologies and deep familiarity with the OWASP Top 10, OWASP API Top 10, and OWASP Mobile Top 10.
- Technical Toolkit & Scripting — Proficiency with industry-standard tools such as Burp Suite Pro, OWASP ZAP, Postman, Frida, MobSF, and Nmap, combined with scripting ability in Python, Bash, or JavaScript for custom payloads, exploit development, and automation. Solid grasp of core networking and web protocols (TCP/IP, DNS, HTTP/HTTPS, TLS).
- Reporting, Collaboration & Pre-Sales Support — Ability to produce clear, professional penetration test reports with accurate risk ratings and actionable remediation guidance, while collaborating effectively with development and DevSecOps teams during remediation and re-testing. Comfortable supporting pre-sales activities including scoping, effort estimation, and technical proposal input.
- Adversarial Mindset & Continuous Learning — Demonstrated ability to think beyond checklists — chaining vulnerabilities, identifying business logic flaws, and uncovering issues automated scanners miss — paired with a genuine passion for staying current with emerging threats, newly disclosed CVEs, and evolving attack techniques across web and mobile ecosystems.
Candidate Pathways**important
We evaluate candidates through two distinct pathways. Meeting the criteria in either pathway demonstrates the depth of skill we're looking for.
Type I
For candidates who demonstrate strong offensive security credentials and proven research ability.
- OSCP (Offensive Security Certified Professional) certification
- An active and strong Hack The Box profile showcasing consistent performance
- CPTS (Certified Penetration Testing Specialist) from Hack The Box is considered a valid alternative to OSCP
- CRT (CREST Registered Tester) or relevant certifications are also recognized
Type II
For candidates with real-world bug hunting experience and a security researcher mindset.
- An active HackerOne profile with demonstrated bug bounty findings and reputation
- Published CVE(s) demonstrating original vulnerability research
- Strong source code review skills — ability to identify vulnerabilities through manual code auditing across multiple languages
If you fit into any of the two types, please specify.
Mobile Security Pathway (For Mobile-Focused Applicants)
Candidates applying specifically for mobile penetration testing should hold the following:
- CAPT (Certified Android Penetration Tester) from Mobile Hacking Lab
- CIPT (Certified iOS Penetration Tester) from Mobile Hacking Lab
- CMSE (Certified Mobile Security Expert) from 8kSec is accepted as an alternative
Certification Verification & Preparation Documentation
To maintain the integrity of our hiring process and ensure fairness to all applicants, Brainstation-23 takes certification validation seriously. We have observed cases across the industry where certifications are proxy-passed, forged, or otherwise misrepresented, and we are committed to verifying that every credential reflects the candidate's own genuine effort and knowledge.
What We Require From Candidates
- Verifiable Certification Records — Provide official verification links, credential IDs, or digital badges for every certification listed on your resume. Screenshots alone will not be accepted.
- Preparation Journey Document — Submit a short write-up (1–3 pages) outlining your preparation path for each major certification claimed. This should include:
- Practice platforms (HTB, TryHackMe, PortSwigger Web Security Academy, PentesterLab, VulnHub, etc.) and notable boxes/labs completed
- Key challenges faced and how you overcame them
- Personal notes, blog posts, GitHub repos, or write-ups created during preparation (if any)
- Public Footprint — Where possible, share links to your Hack The Box, TryHackMe, HackerOne, Bugcrowd, GitHub, or personal blog profiles that reflect ongoing engagement with the craft.
Zero-Tolerance Policy
Any candidate found to have submitted forged certificates, proxy-passed exams, plagiarized write-ups, or misrepresented credentials will be immediately disqualified and permanently blacklisted from future opportunities at Brainstation-23.
Certifications Not Accepted
Certifications from the following providers will not be considered as qualifying credentials for this role:
- eLearnSecurity (eJPT, eWPT, eMAPT etc.)
- EC-Council (CEH, CPENT, LPT etc.)
- CompTIA (Security+, PenTest+ etc.)
- CWL Certifications (CRTA, CRT-ID e.t.c)
Life at Brain Station 23
