Senior Security Research Engineer

at Automattic

📍 World

USD 70,000-170,000 per year

SENIOR

✅ Remote

Used Tools & Technologies

Not specified

Required Skills & Competences
Tag name is followed by "@" symbol and proficiency level value. About proficiency levels:

1-2 — basic awareness. Minimal hands-on experience, and a rudimentary understanding of the technology's purpose;

3-6 — daily use. Comfortable and regular usage, capable of handling common tasks and challenges related to the technology;

7-9 — you are an expert, you can teach others, you know all the pitfalls and tricks;

10 — exceptional knowledge, comprehensive understanding, and adeptness in all aspects of the technology, including advanced problem-solving. Think twice before claiming or demanding such level.

Security @ 4 Hiring @ 4 PHP @ 4 Debugging @ 4 Reporting @ 4 WordPress @ 4 AI @ 4

Details

WP Cloud powers WordPress at scale, and security is a critical part of that foundation. We’re expanding our security team to support WP Cloud, while also contributing to the protection and intelligence provided by WPScan and Jetpack Protect. As a Security Researcher, you will analyze vulnerable and malicious code, track emerging threats, and help build the tools and processes that detect, prevent, and remediate malware and other security issues across the WordPress ecosystem. If you have a knack for solving puzzles and a passion for documenting and operationalizing solutions, this is a great opportunity to make a broad impact.

Responsibilities

Analyze vulnerable and malicious code across the WordPress ecosystem.
Track emerging threats and adversary techniques relevant to WordPress sites and plugins.
Build tools and processes to detect, prevent, and remediate malware and other security issues.
Participate in code reviews and architecture/design discussions related to security.
Document findings and operationalize solutions so detection and remediation can scale.
Use AI tools effectively to accelerate analysis and improve solution quality.
Travel 2–3 weeks per year to meet teammates in person as needed.

Requirements

At least 3 years of experience as a security researcher, or equivalent experience investigating vulnerabilities, malware, or other threats.
Solid understanding of threat models, security threats, vulnerabilities, and common attack vectors such as XSS, injection, hijacking, and social engineering, along with mitigations.
Experience with PHP and exposure to software engineering practices.
Highly collaborative; comfortable participating in code reviews and discussions about architecture or design.
Strong ability to use AI tools effectively to accelerate work and improve analysis.
Willingness and ability to travel 2–3 weeks per year.

Extra credit

Experience with penetration testing and associated tools.
Previous experience with malware detection systems.
Past vulnerability reporting/disclosure experience.
Familiarity with WordPress file and database structures.
Experience writing and debugging WordPress plugins and themes.

Compensation and Benefits

Salary range: $70,000–$170,000 USD (global ranges; paid in local currency).
Fully remote company, open vacation policy.
Personal development budget and encouragement to grow skills through courses, books, and conferences.
Additional benefits vary by country (refer to company Benefits Page).

About the Company

Automattic is a distributed company behind WordPress.com, WooCommerce, Jetpack, Tumblr, and other products. The company emphasizes open source, accessibility, diversity, and distributed remote work. Automattic provides detailed information about compensation philosophy, benefits by country, hiring process, and expectations on its public pages. Applicants can track application status via MyGreenhouse.