Remote Webapp Offensive Security Software Engineer at Horizon3 AI

This is a wild role for anyone who lives at the intersection of break-and-build offensive security and cutting-edge software development. Horizon3.ai isn’t looking for a traditional auditor who fills out compliance checklists. They want a Remote Webapp Offensive Security Software Engineer who knows how to hack web applications and can translate those attack vectors into safe, autonomous, production-grade exploit code.

If you want to build automated pentesting tools that think like an actual attacker, this is exactly what’s expected of you, how the AI aspect plays a major role, and what the financial package looks like.

What You’ll Actually Do

• Horizon3.ai’s core platform, NodeZero, is basically an autonomous red-team analyst. It maps attack paths, finds weaknesses, and tries to exploit them to prove whether a vulnerability is a real risk or just theoretical noise.
• Your day-to-day work will center around designing and writing the actual web application offensive security content that feeds this machine. You will take raw research, zero-days, or newly disclosed web vulnerabilities, reverse-engineer them, and weaponize them safely into the platform.
• This requires writing clean, test-driven object-oriented code, managing data models with databases like Postgres and Neo4j, and jumping into production to monitor your tools or iron out bugs. You will also get to share your work with the broader cybersecurity community by publishing technical blog posts detailing your exploit methodologies and research.

What Makes This Job Different

What makes this job listing fascinating right now is how heavily focused it is on the intersection of cybersecurity and generative artificial intelligence. Horizon3.ai has been rapidly rolling out things like their NodeZero Model Context Protocol (MCP) Server. This essentially acts as an interface that lets an organization’s internal LLM or AI security agents talk directly to NodeZero to launch pentests, pull exploit data, and coordinate automated fixes.

Because of this direction, you aren’t just writing traditional scripts anymore. They want an engineer who is genuinely eager to integrate AI-driven methods into vulnerability detection and exploitation workflows. If you have spent time fine-tuning language models, playing with Retrieval-Augmented Generation (RAG), or using frameworks like LangChain to build autonomous agentic workflows, you are exactly the kind of hybrid engineer they are looking to hire.

The Technical Bar and Requirements

They are looking for a blend of a seasoned developer and a veteran breaker. The absolute requirements are straightforward:

• Deep, practical experience performing full-scope web application penetration testing using standard proxy setups like Burp Suite and browser dev tools.
• Strong programming fundamentals rooted in object-oriented programming and test-driven development (TDD).
• A solid grasp of relational and graph databases (Postgres and Neo4j).
• A natural curiosity for using AI development tools to optimize research and automate tedious tasks.
• A proven track record of finding CVEs, contributing to responsible disclosure, or successfully participating in bug bounties.

If you happen to hold an OSCP certification or have hands-on experience building custom web app testing automation tools in past large-scale software projects, you will immediately stand out.

Compensation

Horizon3.ai is a completely remote company founded by a mix of startup veteran engineers and former U.S. Special Operations cyber operators. They completely embrace a remote culture that values ownership over micromanagement, though you should expect up to 15% travel for company events or collaborative meetups.

On the financial front, the base salary is transparently set between $185,000 and $240,000 annually, with the exact number scaling depending on your location, background, and specific skills. Since this is a full-time role, you also get an equity stake in the company via stock options, standard flexible vacation time, solid family medical/dental/vision coverage, and comprehensive parental leave.

If you are a builder who loves offensive security and wants to help shape how autonomous AI defenses are built, this team is actively building that future right now.