Our Way of Doing in the Team:

Transform your career with iFood! We are a Brazilian technology company referenced in Latin America. Through innovative solutions, we connect thousands of restaurants to millions of consumers daily with an average of 100 million orders per month. In addition to food delivery, we are also a Marketplace, Pharmacy, and Pet service. We also have iFood Pago, our Fintech, which includes iFood Benefits, the food and meal vouchers, and iFood Pago, the restaurant's bank. Join us and be part of a team that is always ahead with cutting-edge technology and constant innovation.

Your Daily Menu:

Plan and execute offensive operations (Red Team engagements, Adversary Simulation/Emulation) against iFood Pago's infrastructure, applications, and processes, simulating real adversaries with a focus on financial impact.
Perform security testing on web applications, APIs (REST/GraphQL/gRPC), and mobile applications (Android and iOS), including static, dynamic, and runtime analysis.
Test and evaluate the security of cloud-native environments, including Kubernetes, containers, and service meshes.
Conduct security testing on AI-powered systems, identifying vulnerabilities such as prompt injection, model manipulation, data poisoning, bypassing guardrails, among others.
Develop automation, offensive tools, and integrations using AI/LLMs to scale processes and enhance the identification and exploitation of vulnerabilities.
Document findings clearly, demonstrating real business impact and proposing corrective action plans.
Collaborate with Blue Team and CSIRT in Purple Team exercises, contributing to continuous improvement in detection and response.
Stay updated on emerging TTPs, especially those targeted at the financial and payment sector in Latin America.

Ingredients We Seek:

Experience in Red Team operations and Penetration Testing in corporate environments.
Proficiency in security testing of web applications and APIs, including vulnerabilities beyond the OWASP Top 10 (broken authentication, mass assignment, BOLA/IDOR, race conditions, business logic flaws in financial flows).
Experience in mobile security (Android/iOS): reverse engineering APKs/IPAs, hooking with Frida, bypassing certificate pinning, local storage analysis, etc.
Practical knowledge in cloud-native environment security: Kubernetes (RBAC, pod escape, service account abuse), Docker (container breakout), AWS/GCP (privilege escalation, misconfiguration exploitation).
Experience with Red Team infrastructure: C2 frameworks (Cobalt Strike, Sliver, custom C2), redirectors, OPSEC, evasion, and persistence.
Programming and scripting skills (Python, Go, Bash) for developing offensive tooling and automation.
Knowledge of the MITRE ATT&CK Framework and the ability to map operations to relevant TTPs.
Familiarity with financial protocols and systems is a strong plus.
Ability to translate technical findings into business risk for different audiences.

To Enhance the Flavor:

Experience in security testing of LLMs/AI-based systems (prompt injection, jailbreaking, tool-use abuse, data exfiltration via AI agents).
Use of AI/LLMs for automating offensive tasks (vulnerability triage, payload generation, code analysis, automated reconnaissance).
Participation in bug bounty programs with relevant track record.
Publication of research, CVEs, write-ups, or talks at security conferences.
Relevant certifications (OSCP, OSEP, OSWE, CRTO, CARTE, CRT, eMAPT).
Previous experience in fintechs, banks, or payment companies.

We are looking for someone passionate about information security, who is always seeking new learnings and enjoys challenges. If you identify with this profile, we would love to meet you!