Join Security Impossible as an Offensive Security Engineer to design and execute end-to-end attack scenarios, research vulnerabilities, and build hands-on cyber training environments. This role requires hands-on experience with web application exploitation, Active Directory attacks, and network reconnaissance. You will work in a fully remote environment with a small team and have opportunities for real growth and direct impact.
Key Highlights
Key Responsibilities
Technical Skills Required
Benefits & Perks
Nice to Have
Job Description
About Us
Security Impossible is a Melbourne-based cybersecurity company. We build hands-on cyber training environments used by educational institutions and professional teams.
The Role
We are hiring an Offensive Security Engineer to join our team. This is a hands-on offensive role — you will spend your days researching, exploiting, and engineering vulnerable environments. You will design real attack scenarios from the ground up: studying vulnerabilities, building target systems, executing exploits end-to-end, and producing the artefacts that come out of that work.
If you enjoy the technical side of red team work — figuring out how things break, building proof-of-concept exploits, breaking into Active Directory environments, exploiting web applications — this role lets you do that across a wide range of domains, full-time.
What You Will Be Doing
- Researching vulnerabilities and attack techniques across web applications, Active Directory, network infrastructure, and emerging domains
- Building vulnerable target environments using Docker, virtual machines, and lab orchestration
- Designing and executing end-to-end attack scenarios — from initial access through privilege escalation, lateral movement, and impact
- Documenting your work in clear technical writing — methodology, exploitation steps, and remediation
- Validating that everything you build works reliably and consistently
- Occasionally supporting client cyber drill events and red/blue team training sessions
- Continuously learning new offensive areas as the work demands
Interested in remote work opportunities in Cyber Security? Discover Cyber Security Remote Jobs featuring exclusive positions from top companies that offer flexible work arrangements.
What You Need
Practical, demonstrated skill matters more to us than certifications. You should have hands-on experience with most of the following:
- Web application exploitation — Burp Suite, OWASP ZAP, OWASP Top 10. You can identify and exploit SQL injection, XSS, IDOR, file upload vulnerabilities, SSRF, and similar without a walkthrough.
- Active Directory attacks — BloodHound, Rubeus, Mimikatz, Impacket. You understand Kerberos attacks (Kerberoasting, AS-REP Roasting), Pass-the-Hash, and lateral movement.
- Privilege escalation on both Windows and Linux — you know what WinPEAS and LinPEAS produce and you can interpret their output. You have exploited unquoted service paths, SUID misconfigurations, sudo issues, and weak file permissions.
- Network reconnaissance and exploitation — Nmap, Netcat, basic Metasploit. You can enumerate a network and identify entry points.
- Linux and Windows command-line proficiency
- Docker — building images, writing Dockerfiles, multi-container setups with Docker Compose
- Scripting — at least one of Python, PowerShell, or Bash
You should also be:
- Genuinely curious about offensive security — you read security research, watch conference talks, try new techniques
- Able to communicate technical work clearly in writing
- Willing to learn unfamiliar topics quickly — we will sometimes ask you to work in areas you have not explored before
- Methodical — when you build something, every step needs to actually work
- Self-managing — this is a remote role and we expect you to organise your own work
Browse our curated collection of remote jobs across all categories and industries, featuring positions from top companies worldwide.
Certifications
We do not require any specific certification. Practical demonstrated skill matters more to us. That said, certifications that signal genuine offensive capability and would strengthen an application include PNPT, CRTP, eJPT, eCPPT, CompTIA PenTest+, and similar offensive-focused credentials.
Note: Certifications are signals, not proof. Someone with no certifications who can demonstrate solid skill will be preferred over someone who lists certifications but cannot apply them. We will assess what you actually know.
Nice to Have
- Background in technical writing, training delivery, or curriculum design
- Familiarity with the MITRE ATT&CK framework
- Cloud security exposure (AWS or Azure misconfiguration testing)
- Experience with malware analysis tools (Volatility, FLOSS, PEStudio)
- Bug bounty experience or public security research
What We Offer
- Fully remote work — output matters, location does not
- Genuine variety — every few weeks you will be working on something different
- Real growth — we work across the breadth of cybersecurity and you will learn rapidly
- Direct impact — your work is used by real practitioners
- Small team, low bureaucracy — minimal process, maximum doing
Similar Jobs
Explore other opportunities that match your interests
gehi & associates
job returns
