Application Security Engineer - Pentester at Veeam Software

<div class="content-intro"><div class="elementToProof"> <p>Veeam is the Data and AI Trust Company, specializing in helping organizations ensure their data and AI are fully understood, secured, and resilient to enable the acceleration of safe AI at scale. As the market leader in both data resilience and data security posture management, Veeam is built for the convergence of identity, data, security, and AI risk. Headquartered in Seattle with offices in more than 30 countries, Veeam protects over 550,000 customers worldwide, who trust Veeam to keep their businesses running. Join us as we go fearlessly forward together, growing, learning, and making a real impact for some of the world’s biggest brands.</p> </div></div><h4>About the Role</h4> <p>As an <strong>Application Security Engineer (Offensive Testing)</strong>, you will lead and perform penetration testing and DAST for <a href="https://www.veeam.com/products/veeam-data-cloud.html">Veeam Data Cloud</a> products. You’ll use Burp Suite and modern web/API testing techniques to find real, exploitable issues, help prioritize risk, and work with engineering teams to drive fixes to completion.</p> <p>You will also improve testing tools and processes, make testing more repeatable, and help teams prevent recurring vulnerabilities—especially around authentication, authorization, session management, and tenant isolation.</p> <h4 id="id-📝JobDescription&amp;JobPostGuidelines-WhatYou’llDo.1">What You’ll Do</h4> <ul> <li>Own offensive testing: plan what to test, how deep to go, and how often; create clear, consistent reports and reusable playbooks</li> <li>Perform manual pentesting (main focus): test web apps and APIs, especially authentication/authorization, multi-tenant boundaries, and critical workflows; chain issues into realistic attack paths</li> <li>Use Burp Suite daily: validate and reproduce findings with advanced Burp features; build and maintain repeatable scopes, macros, and authenticated flows</li> <li>Run and improve DAST: execute and tune authenticated scans, reduce false positives, and work with CI/platform teams to scale scanning and manage credentials</li> <li>Drive remediation: deliver high-quality write-ups, partner with engineers to fix and retest, and help prevent regressions; ensure findings are tracked with the right severity and SLAs</li> <li>Improve security long-term: spot recurring patterns and help teams prevent them through standards, libraries, platform controls, and input to threat modeling/design reviews</li> </ul> <h4 id="id-📝JobDescription&amp;JobPostGuidelines-WhatYou’llDo.1">What You’ll Bring</h4> <ul> <li>Strong web and API pentesting experience, especially in authorization (IDOR/BOLA, privilege escalation, role/tenant boundaries), authentication/session flows (tokens, identity integrations), and common vulnerabilities (injection, SSRF, deserialization, misconfigurations) with practical exploitation skills</li> <li>Advanced Burp Suite skills: manual validation, targeted fuzzing, authenticated testing, and workflow automation (extensions/macros)</li> <li>Experience writing Semgrep rules to detect insecure patterns and improve secure-by-default development</li> <li>DAST experience at scale: running or supporting authenticated scans, tuning coverage, and reducing false positives</li> <li>Clear written communication: concise PoCs and actionable remediation guidance for engineers</li> </ul> <h4 id="id-📝JobDescription&amp;JobPostGuidelines-WhatYou’llDo.1">Bonus Skills</h4> <ul> <li>SaaS multi-tenant security testing experience; OAuth2/OIDC/SAML depth; bug bounty triage; writing custom tooling or Burp extensions</li> </ul> <h4 id="id-📝JobDescription&amp;JobPostGuidelines-WhatYou’llGet.1">What You’ll Get&nbsp;</h4> <ul> <li>25 vacation days, 4 sick days, 21 paid medical leave days, plus 4 extra global VeeaMe Days for self-care and 24 paid volunteer hours annually through Veeam Cares</li> <li class="___ccc16d0 fje8fi8 f1ng9h0j f1bwykku f18jd3zf" data-uuid="edf32eb5-9fd0-4c7c-8978-e79d37007503">Premium private medical insurance for employees and dependents</li> <li class="___ccc16d0 fje8fi8 f1ng9h0j f1bwykku f18jd3zf" data-uuid="9f5cda51-08d8-4760-971e-d9f747f57f7d">Daily meal vouchers for restaurants and groceries (180 CZK per working day)</li> <li class="___ccc16d0 fje8fi8 f1ng9h0j f1bwykku f18jd3zf" data-uuid="378750df-d64d-4338-975e-c9b4064240d2">Flexible cafeteria platform with thousands of lifestyle benefit options</li> <li class="___ccc16d0 fje8fi8 f1ng9h0j f1bwykku f18jd3zf" data-uuid="fab46f32-3a73-4a50-8eab-142b44eb8a92">Multisport Card for gym and wellness, with family add-on options</li> <li class="___ccc16d0 fje8fi8 f1ng9h0j f1bwykku f18jd3zf" data-uuid="e8ec9bf3-2992-4ad0-8128-28f123163245">Annual public transport reimbursement up to a set limit</li> <li class="___ccc16d0 fje8fi8 f1ng9h0j f1bwykku f18jd3zf" data-uuid="0e65f6ac-21e2-4496-a397-aae4bda50c32">Corporate mobile plan with optional family tariff</li> <li class="___ccc16d0 fje8fi8 f1ng9h0j f1bwykku f18jd3zf" data-uuid="6e123908-7b82-4cf6-847f-5cfcbf2d13b2">Opportunities to learn and grow through on-demand libraries (LinkedIn Learning, O’Reilly), mentoring, workshops and learning events like our annual Global Day of Learning</li> </ul> <p><strong><span lang="EN-US">Please note:</span></strong><span lang="EN-US">&nbsp;If the applicant is permanently present outside of the Czech Republic, Veeam reserves the right to refuse to consider the application for a job. Remote job is only possible in case the employee is located in the Czech Republic.</span></p> <p><span lang="EN-US"><span data-teams="true">#LI-GD1</span><br>#Hybrid</span></p><div class="content-conclusion"><div data-pm-slice="1 1 [&quot;ul&quot;,null,&quot;li&quot;,{&quot;style&quot;:null,&quot;checked&quot;:null,&quot;value&quot;:null,&quot;displayValue&quot;:null,&quot;backgroundColor&quot;:null,&quot;color&quot;:null,&quot;listStyleType&quot;:null}]" data-en-clipboard="true"><hr></div> <div data-pm-slice="1 1 [&quot;ul&quot;,null,&quot;li&quot;,{&quot;style&quot;:null,&quot;checked&quot;:null,&quot;value&quot;:null,&quot;displayValue&quot;:null,&quot;backgroundColor&quot;:null,&quot;color&quot;:null,&quot;listStyleType&quot;:null}]" data-en-clipboard="true"><span lang="EN-US" style="font-family: helvetica, arial, sans-serif;"><strong>Veeam Software is an equal opportunity employer</strong> and does not tolerate discrimination in any form on the basis of race, color, religion, gender, age, national origin, citizenship, disability, veteran status or any other classification protected by federal, state or local law. All your information will be kept confidential.</span></div> <div data-pm-slice="1 1 [&quot;ul&quot;,null,&quot;li&quot;,{&quot;style&quot;:null,&quot;checked&quot;:null,&quot;value&quot;:null,&quot;displayValue&quot;:null,&quot;backgroundColor&quot;:null,&quot;color&quot;:null,&quot;listStyleType&quot;:null}]" data-en-clipboard="true"> <p><span style="font-family: helvetica, arial, sans-serif;">Please note that any personal data collected from you during the recruitment process will be processed in accordance with our&nbsp;<a href="https://www.veeam.com/recruiting-privacy-notice.html">Recruiting Privacy Notice</a>. &nbsp;</span></p> <p><span style="font-family: helvetica, arial, sans-serif;">The Privacy Notice sets out the basis on which the personal data collected from you, or that you provide to us, will be processed by us in connection with our recruitment processes.&nbsp;</span></p> <p><span style="font-family: helvetica, arial, sans-serif;">By applying for this position, you consent to the processing of your personal data in accordance with our&nbsp;<a href="https://www.veeam.com/recruiting-privacy-notice.html">Recruiting Privacy Notice</a>.</span><br><br><span style="font-family: helvetica, arial, sans-serif;"><strong>By submitting your application, you acknowledge that the information provided in your job application and any supporting documents is complete and accurate to the best of your knowledge. Any misrepresentation, omission, or falsification of information may result in disqualification from consideration for employment or, if discovered after employment begins, termination of employment.</strong></span></p> </div> <p><a id="app"></a></p></div>