Security Engineer (Redteam)

Are you ready to be the first line of offense for one of the fastest-growing companies in the Cryptocurrency and Blockchain space? We're looking for an experienced Security Engineer (Red Team) to think like an adversary, break things before attackers do, and help us build a platform our users can trust with their assets.
In crypto, every vulnerability has an immediate, irreversible dollar value attached. That's the bar you'll be operating at.

What you'll be doing:

• Plan and execute offensive security engagements across our web, mobile, API, and microservice surfaces, as well as cloud infrastructure and internal systems.

• Perform in-depth application security assessments and penetration tests, with a focus on the attack paths that matter most in a crypto/fintech context: authentication and session handling, wallet and key management flows, transaction integrity, withdrawal and KYC bypasses, business logic abuse, and privilege escalation.

• Threat model new and existing products from an attacker's perspective — including custody flows, trading engines, on-chain integrations, and partner/third-party data exchanges — and turn abstract risks into concrete, testable abuse cases.

• Conduct manual secure code review on production codebases to find vulnerabilities that scanners miss, with particular attention to financial logic, race conditions, and trust-boundary violations.

• Build tooling: write robust scripts, automate offensive workflows, and create frameworks that scale red team coverage across a fast-moving codebase.

• Partner closely with Engineering, DevOps, Product, and external partners to triage findings, design remediations, and embed security earlier in the SDLC.

• Research emerging threats in Web3, mobile, and cloud — new exploitation techniques, smart contract attack patterns, DeFi exploits, supply chain attacks — and translate them into proactive testing methodologies before they hit production.

• Produce clear, prioritized reports and recommendations that articulate technical findings, business impact, and remediation paths to both engineers and executives.

• Provide technical support during incident response and forensic analysis of compromised systems, contributing red team perspective on attacker tradecraft and evasion.

• Help shape the practices, playbooks, and documentation that define how red teaming is done here as the function matures.

What we're looking for:

• 2 - 3+ years of hands-on experience in offensive security, penetration testing, or red teaming, with demonstrated depth in web and mobile application security.

• Degree in Computer Science, Information Systems, Engineering, or equivalent practical experience.

• Strong fundamentals in offensive security, application security, and security engineering.

• Proven ability to perform manual secure code review on real production codebases across unfamiliar stacks.

• Strong familiarity with Linux and cloud ecosystems, especially AWS.

• Proficiency with industry-standard tooling: Burp Suite, intercepting proxies, fuzzers, and the broader pentester's toolkit.

• Working knowledge of OWASP (Top 10, ASVS, MASVS), CWE, and modern appsec frameworks.

• A builder's mindset — comfortable scripting and automating in Python, Go, or similar to scale your own work.

• Strong intuition for trust boundaries and risk assessment in fast-moving, high-stakes environments.

• Outstanding written and verbal communication in English — the ability to distill technical nuance into narratives that drive engineering and business change.

• A collaborative spirit, eager to work alongside engineers, researchers, and product teams to embed security into every phase of development.

• Strong interest in Cryptocurrency, Blockchain, Fintech, or Finance/Trading — you follow the space, understand why it's a uniquely hostile threat environment, and want to defend it.

• Willingness to take overnight shifts when engagements or incidents require it.

• Proficient in English communication skill.

• Advanced understanding and/or experience working in a Cryptocurrency/Blockchain/Fintech/Finance Trading domain preferred

Nice to have :

• Hands-on experience in a Cryptocurrency, Blockchain, Fintech, or Trading environment, including familiarity with custody models, exchange architecture, or smart contract security (Solidity/EVM, common DeFi attack patterns).

• Experience with red team exercises, APT simulations, and adversary emulation using frameworks like MITRE ATT&CK.

• Experience pentesting across heterogeneous stacks — backend services, cloud-native environments, mobile (iOS/Android), and Web3.

• Familiarity with Agile SDLC, DevSecOps practices, and CI/CD security.

• Exposure to Ruby on Rails or other languages prominent in our stack.

• Working knowledge of relevant regulations (e.g., GDPR, CCPA, MAS, financial compliance) and how they map to technical controls.

• Visible contributions to the community: public research, conference talks, blog posts, CVEs, OSS security tooling, or a strong bug bounty track record on HackerOne, Bugcrowd, Intigriti, YesWeHack or similar.

• Preferred certifications: OSCP, OSWE, OSCE3, HTB CWES/CWEE, or equivalent.

What’s in it for you:

• MacBook or high-end laptop for working.

• Full coverage of social insurance.

• Premium health care for you and your family members.

• Full 100% salary during probationary period.

• Working in a professional, friendly, well-equipped workspace with both foreigners and Vietnamese.

• Extensive on job training; will always having chances to work with new emerging technologies.

• Friendly and fun start-up work culture.

Find out more about Coinhako here https://www.coinhako.com/ and don't forget to visit our Careers Page https://www.coinhako.com/join-us

By submitting your application to us, you consent to the collection, use, disclosure and processing of your personal data in accordance with our privacy policy, which is accessible at https://www.coinhako.com/legal/sg-1/privacy_policy.