Show more filters
Banner image for Deriv

Senior Offensive Security Engineer

Deriv

3.3
9 reviews
Deriv
Job Type   /   Job Level
Full-time   /   Senior Executive
Company Location
Malaysia
We're not hiring a security engineer to keep up with threats. We're hiring someone to make threats irrelevant before they become incidents.

We're looking for a Red Team Lead/Operator who thinks like an adversary, not an auditor. Someone who continuously emulates real-world attackers, challenges assumptions, and exposes the gaps that automated defenses miss. You'll lead offensive security operations across our infrastructure, applications, cloud, and people - turning every engagement into detections, automation, and resilience. The goal isn't to prove we can be breached. It's to make the platform smarter with every attack.

Why This Matters

Deriv's mission is Trading for Anyone, Anywhere, Anytime. Millions of traders across the globe, around the clock, across regulatory environments. At this scale, a misconfigured WAF rule or undetected lateral movement isn't a technical inconvenience - it's a trader's funds at risk and a regulator on the phone.

Our Security Operations team isn't defending a perimeter. We're protecting a living, distributed system that processes transactions 24/7. When the threat surface never sleeps, your detection and response capabilities can't either - which is exactly why we're embedding AI and automation at every layer of the security stack.

The Challenge

$600B moves through this platform every month. That kind of scale attracts real adversaries: state-sponsored crews, financially motivated groups, insiders. Not hypothetical threat models, actual ones, actively working against us.

That's the environment. Not a lab. Not a CTF. A live financial platform under real pressure, defended by a security org that runs its own incident response instead of reading about breaches in the news.

We need someone who can operate like the people already trying to get in. Full kill chain, no shortcuts, no "we found SQLi and called it a day" energy.

If your idea of a challenging week is a scoped web app pentest with a checklist, this isn't for you. If you want to run against cloud, identity, source code, and now AI agents with tool access and memory, keep reading.

Why Deriv

We already run our own incident response and purple-team our findings straight into detections, not a compliance exercise, an active discipline with real fallout when it's wrong. Our security org is starting to red-team AI agents with tool access and memory, work most companies haven't figured out how to even scope yet. You'll get hands-on production experience that would take far longer to accumulate at a single-product company.

We share what we learn. Deriv is where we write about what we're building, what breaks, and what we figure out the hard way.

What You’ll Do

  • Plan and execute full-kill-chain red team engagements: initial access, privilege escalation, lateral movement, persistence, and objective completion, mapped to MITRE ATT&CK
  • Design and run social engineering and physical/insider threat simulations, informed by real-world TTPs
  • Attack cloud environments, Kubernetes, and CI/CD pipelines, identifying misconfigurations and privilege escalation paths before real attackers do
  • Conduct source code analysis and application-layer exploitation against trading, payments, and internal platforms
  • Red-team our AI agent stack: prompt injection, tool-calling abuse, agent-to-agent trust boundaries, and credential exposure in agentic workflows
  • Build and maintain custom tooling, C2 infrastructure, and payloads that evade modern detection stacks
  • Write engagement reports and executive summaries that lead to actual remediation, not shelf-ware
  • Partner with SOC and Threat Hunting to run purple-team exercises, closing detection gaps you exploited
  • Mentor L1/L2 operators and contribute to the offensive security capability roadmap


Who You Are

  • 6+ years doing actual offensive security. Full-scope red team, not a string of scoped pentests
  • OSCP required. OSCE, OSEP, OSED, CRTO or equivalent adversary simulation cert gets you a real look
  • Real depth in at least three of: internal AD/network exploitation, cloud attack paths (AWS/GCP), web/API exploitation, custom C2 development, social engineering/physical, mobile
  • You can write your own tooling and implants in Python, Go, or Rust. Not just running Cobalt Strike out of the box
  • You've operated against modern EDR-instrumented environments and know what it actually takes to not get caught
  • You understand blast radius in a regulated fintech and know how to break things without breaking the business
  • You can write a report that gets fixed, not filed


The Honest Reality

You'll sit inside a Security & AI Engineering org that treats offensive security as a real discipline, not a line item for the compliance audit.

You'll work across Dubai and Malaysia with a team that runs actual incident response, not tabletop exercises with fake scenarios.

You'll have a direct line from finding a hole to it getting closed, and room to build the tooling and run the engagements that shape how we red-team the AI agents everyone else is still figuring out how to even think about.
Jobs in Malaysia   »   Jobs in Cyberjaya, Selangor, Malaysia   »   Senior Offensive Security Engineer

More jobs