IOActive, Inc.
Senior Security Consultant, Application Security

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
About the Role The Senior Consultant, Application Security is a senior technical practitioner in IOActive's Application Security practice, with secure code review as the central specialty.[AM1] [AM2] The role centers on deep manual code audit work across web and systems languages, paired with application penetration testing, threat modeling, and Secure Development Lifecycle (SDLC) advisory engagements. Code review engagements at IOActive span the full landscape: source code reviews on production codebases for enterprise web applications, mobile backends, embedded systems, and cryptographic implementations; application penetration testing against web, API, and mobile targets; threat modeling for new product designs; and SDLC advisory work helping clients integrate security into their development processes. The Senior Consultant brings particular depth in code review and broad competence across the adjacent work.
What You'll Do Engagement Delivery — Code Review (primary, ~50–60%) Lead manual source code reviews on complex production codebases spanning web applications, mobile backends, APIs, and embedded systems Identify vulnerability classes ranging from common (injection, authentication and authorization flaws, SSRF, XSS, deserialization) to nuanced (race conditions, deserialization gadgets, cryptographic implementation flaws, business logic vulnerabilities, architectural weaknesses) Author findings reports that developers can act on: clear remediation guidance, working proof-of-concepts where appropriate, and architectural recommendations beyond the immediate fix Lead client developer workshops to explain findings and patterns, helping teams build security resilience rather than just fixing the listed issues Engagement Delivery — Adjacent Application Security Wor Application penetration testing across web, API, and mobile targets, particularly where engagements span code review and dynamic testing Threat modeling on new product designs and existing systems using STRIDE, attack trees, or equivalent frameworks Secure design reviews of architecture, authentication systems, cryptographic implementations, and inter-service communicatio SDLC advisory engagements: helping clients integrate code review, threat modeling, and security testing into their development lifecycle (CI/CD, pull-request workflows, developer training) Client Engagement Serve as the senior technical voice in engagement status meetings, client workshops, technical deep-dives, and developer training sessions Build trusted technical relationships with client engineering leadership, AppSec teams, and security architects Translate technical findings for two distinct audiences: developers who need to fix the issue, and security leadership who need to understand the business risk and pattern Support pre-sales conversations with technical credibility — scoping calls, capability discussions, and proposal input Practice Contribution and Mentorship Mentor junior and mid-level consultants in code review methodology, vulnerability research, and client engagement — even without direct reporting authority Contribute to IOActive's code review playbooks, tooling, methodologies, and report templates Identify opportunities to extend IOActive's AppSec capability — new tooling, target stacks, research directions, or service offerings Collaborate with adjacent practices (Red Team, Hardware/Silicon, Advisory) on composite engagements Research and Market Presence Contribute to IOActive's application security research — vulnerability discovery, novel attack techniques, framework- or platform-specific findings Build personal profile in the application security community: conference talks (Black Hat, DEF CON, OWASP Global, BSides, regional AppSec events), published research, working group participation Represent IOActive in AppSec industry conversations, OSS security efforts, and customer advisory engagements as opportunities arise
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
What You'll Bring Experience and Background 5+ years in offensive security services, with at least 2–3 years focused on application security and source code review Hands-on engagement delivery across multiple AppSec disciplines — code review, application penetration testing, threat modeling, or SDLC consulting Deep code review expertise in at least two of: JavaScript / TypeScript (Node.js, modern frontends), Python (Django, Flask, FastAPI), Java (Spring, J2EE), C# / .NET (ASP.NET, Core), C / C++, Rust, GoLang. Working competence in additional languages a strong plus. Working knowledge of common framework patterns, ORM behavior, authentication and authorization libraries, cryptographic libraries, and the security pitfalls particular to each Familiarity with vulnerability classes Nice to have - Familiarity with relevant standards and frameworks: OWASP ASVS, NIST SSDF, BSIMM, SAMM[AM3] [AM4] Capabilities Strong technical credibility and the comfort to operate as the senior voice on engagements Excellent written communication — you produce reports that developers act on rather than file Strong verbal communication, with the ability to both present as a subject matter expert in technical discussions and deliver complex concepts, results, etc. to a general audience Comfort moving between languages and stacks — specialists who insist on a single technology stack don't fit this role Collaborative mindset — AppSec engagements typically involve close coordination with delivery teams and client developers Genuine curiosity about how systems work, and patience for reading code carefully — code review consultants who succeed at IOActive are the ones who find the work interesting rather than tedious Credentials Relevant bachelor's degree or equivalent experience Relevant industry certifications strongly preferred: OSCP, OSWE, GWAPT, CSSLP, GWEB, or equivalent application-security focused credentials What We Offer 🎯 A chance to work with an industry leader in cyber security 💡 Access to world-class technical teams and research 🏆 A high-energy, collaborative team that values innovation 💻 Flexibility—work remotely or from the office as needed ✈️ Opportunities for travel 💰 Competitive compensation and performance-based incentives US base salary range $75,000 - $175,000, depending on experience level, background and location. If this sounds like your kind of challenge, we’d love to hear from you. Let’s talk!


Get help with your application
Your very own career expert that helps elevate your application to the next level.
Why IOActive:
We have over 25 years of experience that’s established and stable; yet high-growth with the energy, passion and dynamic work environment of a startup. We are renowned for our innovation and thought leadership within our high-profile, cutting edge space. We're one of “the good guys” doing crazy cool stuff to thwart bad guys in a critically important business, social and political arena. Our work is great fun with great importance. Above all else, we value our people and our customers. Relationships matter. IOActive is an equal opportunity employer that is committed to diversity and inclusion in the workplace. We prohibit discrimination and harassment of any kind based on race, color, sex, religion, sexual orientation, national origin, disability, genetic information, pregnancy, or any other protected characteristic as outlined by federal, state, or local laws. This policy applies to all employment practices within our organization, including hiring, recruiting, promotion, termination, layoff, recall, leave of absence, compensation, benefits, training, and apprenticeship. IOActive makes hiring decisions based solely on qualifications, merit, and business needs at the time.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location