BitGo is the leading infrastructure provider of digital asset solutions, delivering custody, wallets, staking, trading, financing, and settlement services from regulated cold storage. Since our founding in 2013, we have focused on enabling our clients to securely navigate the digital asset space. With a global presence and multiple Trust companies, BitGo serves thousands of institutions, including many of the industry's top brands, exchanges, and platforms, and millions of retail investors worldwide. As the operational backbone of the digital economy, BitGo handles a significant portion of Bitcoin network transactions and is the largest independent digital asset custodian, and staking provider, in the world. For more information, visit www.bitgo.com.
We are hiring a Senior Offensive Security Engineer to build, run, and mature BitGo's offensive security program end-to-end across AI, Web2, and Web3. This is not a point-in-time pentesting role. You will own program strategy, assessment execution, tooling and automation (including AI-powered offensive agents), reporting, remediation validation, retesting, and continuous improvement — moving BitGo from periodic external tests to an always-penetration-testing posture.
What You'll Do
- Own the offensive security program across BitGo's applications, APIs, cloud infrastructure, signing services, wallet-adjacent systems, identity pathways, and AI-enabled workflows.
- Run deep, hands-on assessments of Web3 and digital asset systems — transaction signing pipelines, MPC/TSS implementations, HSM integrations, multi-party approval workflows, smart-contract-connected services, and chain-facing infrastructure.
- Lead offensive testing of AI and agentic systems — prompt injection, unsafe tool use, data leakage, agentic identity/credential abuse, LLM routing flaws, and the OWASP Top 10 for LLM Applications.
- Build continuous automated validation pipelines that run 24/7, leveraging autonomous AI agents for breadth while you focus on depth, creative adversary simulation, and novel attack chains.
- Integrate offensive testing into CI/CD so every significant deployment to critical systems is validated before it reaches production.
- Run purple-team exercises simulating nation-state TTPs and insider-threat scenarios, and progress from transparent to semi-stealth to full red team operations as the program matures.
- Drive remediation and retesting with Engineering, AppSec, Cloud Security, Detection Engineering, and SecOps — and translate recurring patterns into durable architectural improvements.
- Serve as the internal expert on offensive risk in launch reviews, design reviews, and strategic initiatives, with authority to hold launches pending security validation of critical systems.
What We're Looking For
- 5+ years in offensive security, red teaming, advanced penetration testing, adversary simulation, or security research in modern production environments. We will consider less with an exceptional track record (published CVEs, top bug bounty results, CTF rankings, Code4rena/Sherlock audit placements, Black Hat / DEF CON / DARPA research).
- Proven experience building or materially maturing an internal offensive security program — defining methodology, building tooling, and driving strategy — not just executing assessments.
- Digital asset security depth or strong demonstrated aptitude — custody infrastructure, transaction signing systems, wallet security, key management, MPC/TSS, or blockchain security research.
- Strong software engineering capability in Python, Go, TypeScript, or similar, including building custom offensive tooling.
- Cloud-native fluency across AWS, containers, Kubernetes, IAM, secrets management, and CI/CD security.
- Clear, credible written and verbal communication with engineers and senior leadership, with high judgment and a bias toward reducing real-world risk.
Strongly Preferred
- OSCP, OSWE, OSEP, GPEN, CPTS, or equivalent practical capability.
- Experience assessing AI / agentic systems; proficiency with PyRIT, Garak, Promptfoo, or similar.
- Experience building or deploying autonomous AI agents for offensive testing.
- Browser security, modern web exploitation, exploit development, or reverse engineering background.
- Open-source security contributions, published research, or conference talks (Black Hat, DEF CON, blockchain security venues).
- Background in high-assurance financial, fintech, or regulated environments.
Why This Role
This is a career-defining opportunity. You will build an offensive security program from scratch at one of the most critical infrastructure providers in digital assets — with a direct line to the Deputy CISO, visibility to the CEO, and a path to leading a growing team during the most significant security transformation this industry has seen in a decade.
Why Join BitGo?
Disrupting an industry takes vision, innovation, passion, technical chops, drive to deliver, collaboration, and execution. Join a team of great people who strive for excellence and personify our corporate values of open communication, collaboration, accountability, craftsmanship, and a client first approach. We are looking for new colleagues who bring innovative ways of thinking and problem solving, and who want to be part of the team that changes the world’s financial markets.
Here are some of the benefits of working at BitGo:
- Competitive salary
- IT equipment support for work
- Meal & Commute allowance
- Medical Insurance
- Attractive Well-being allowance (comprises of medical, wellness and fitness aspects)
- Snacks: on-the-house in the Bangalore office
- Great/Talented workforce to learn and grow with
Note: This role requires working onsite (Monday to Friday) at the Bangalore office.
Cryptocurrencies are the most disruptive change the financial services industry has seen in years. Join us and you’ll be able to look back and say you were part of the team that transformed finance.