Conduct deep manual penetration tests against web applications, REST/GraphQL APIs, and microservices - focusing on authentication, authorization (IDOR/BOLA), session management, injection, and business logic flaws.
Perform source-code-assisted testing (grey-box/white-box) using access to application repositories to identify vulnerabilities that black-box testing misses.
Test multi-tenant isolation boundaries - proving or disproving cross-tenant data access, privilege escalation, and tenant-escape scenarios in SaaS platforms.
Assess authentication and session architectures: OAuth/OIDC flows, JWT handling, MFA bypass, token lifecycle, and session revocation effectiveness.
Validate authorization models end-to-end - from API gateway to data layer - identifying gaps where opt-in security filters can be bypassed or omitted.
Execute targeted assessments of high-risk application changes, new features, and integrations as part of the secure development lifecycle.
AI-Augmented Offensive Security
Use AI tools (LLMs, copilots, agentic frameworks) to accelerate vulnerability discovery, payload generation, reconnaissance, and report writing.
Build and maintain AI-assisted attack workflows - automated recon pipelines, intelligent fuzzing, pattern-based code review, and exploit chain analysis.
Assess AI-integrated application features for prompt injection, training data leakage, model manipulation, excessive agency, and insecure output handling (OWASP LLM Top 10).
Contribute to AI red-teaming exercises targeting LLM-powered features, chatbots, and agentic systems deployed across the enterprise.
Stay current on AI-driven offensive techniques and defensive evasion - and translate emerging research into practical testing methodologies.
Cloud & Infrastructure Testing
Conduct penetration tests against cloud-hosted applications and services in AWS and Azure - including serverless functions, container workloads, and managed services.
Test cloud identity and access configurations - IAM policies, role assumptions, cross-account access, service principal permissions, and privilege escalation paths.
Assess API gateway configurations, WAF effectiveness, and network segmentation controls.
Identify attack paths from application-layer compromise to cloud infrastructure pivot - demonstrating real-world impact chains.
Tooling, Automation & Reporting
Build and maintain custom offensive tooling - scanners, exploit scripts, and validation frameworks tailored to the organization's technology stack.
Develop repeatable, automated security validation tests that can be integrated into CI/CD pipelines for continuous assurance.
Produce clear, evidence-based penetration test reports with proof-of-concept exploits, risk ratings, and actionable remediation guidance.
Track and retest findings through remediation - validating fixes are effective and complete.
Contribute to the organization's attack playbooks, TTPs documentation, and knowledge base.
Collaboration & Enablement
Partner with AppSec engineers to translate offensive findings into defensive tooling improv
Additional Information
About Acrisure
A global fintech leader, Acrisure empowers millions of ambitious businesses and individuals with the right solutions to grow boldly forward. Bringing cutting-edge technology and top-tier human support together, we connect clients with customized solutions across a range of insurance, reinsurance, payroll, benefits, cybersecurity, mortgage services - and more.
In the last twelve years, Acrisure has grown in revenue from $38 million to almost $5 billion and employs over 19,000 colleagues in more than 20 countries. Acrisure was built on entrepreneurial spirit. Prioritizing leadership, accountability, and collaboration, we equip our teams to work at the highest levels possible.
Job Summary:
You will be a hands-on offensive security engineer who finds and proves exploitable vulnerabilities in web applications, APIs, and cloud-hosted services before adversaries do. Your primary focus is web application and API penetration testing across a large, multi-tenant SaaS portfolio; including payroll, benefits, and financial platforms that process sensitive PII and financial data at scale.
You'll conduct manual and automated security assessments, build repeatable attack tooling, and work directly with engineering teams to validate fixes. You will also leverage AI tools to accelerate reconnaissance, vulnerability discovery, exploit development, and reporting; and assess AI-integrated features within our applications for prompt injection, model manipulation, and agentic abuse risks.
We are an AI-first security organization. We build with AI, secure AI, and expect this role to actively leverage AI tooling to accelerate offensive security outcomes.
Success in this role means finding the vulnerabilities that scanners miss, proving exploitability with evidence that drives action, and helping engineering teams ship more secure code.
Acrisure · 100 Ottawa Ave Sw - Grand Rapids, MI