About GitGuardian
GitGuardian is a global cybersecurity scale-up. The company is based in Paris, New-York City, Boston.
Among our early investors who saw our market value proposition, are the co-founder of GitHub, Scott Chacon, along with Solomon Hykes, Docker's co-founder. American and European top-tier VC firms have also invested in GitGuardian.
GitGuardian leads the way in Non-Human Identity security, offering end-to-end solutions from secrets detection in code, productivity tools and environments to strong remediation, observability and proactive prevention of leaks. Our solutions are already used by more than 600K developers worldwide!
Brand experiences are critical to differentiate. At GitGuardian we are convinced that field marketing is central to achieve this differentiation. While campaigns fill the top of our funnel, the moments that matter in a deal, the ones that help landing Fortune 500 security teams and reshape a CISO's buying decision are rarely happening over the phone.
They're happening when human interactions are real: dinners where the right conversation happened, great in person experiences, and engaging roundtables.
About your team and your mission
We are seeking a highly skilled and motivated senior security researcher to join our team and focus on addressing security challenges related to secrets in the new world of agentic AI.
You'll join the cybersecurity research team. The team brings backgrounds from CISO roles, red teaming, penetration testing, development, and vulnerability research, with recent participation at major conferences such as Real World Crypto, SSTIC, Black Alps, Northsec and KubeCon.
Day-to-day, you will investigate novel and existing tactics to find and abuse exposed credentials, then publish your findings as authoritative research. This means analyzing ongoing threats and attacks, exploring new exploitation techniques, and documenting emerging tactics. You will also collaborate with our engineering teams to identify ways to improve our products in terms of secret validation and coverage.
This role requires cross-functional expertise, primarily in cybersecurity, as well as in software development and data analysis. You will collaborate closely with colleagues in the internal Security team and report to the cybersecurity research lead. You'll spend roughly 70% of your time on research and 30% producing content to share findings with the security community.
As a researcher, you will track offensive trends and techniques, and work closely with our marketing team to produce 2–3 technical deep-dive articles or talks per quarter. Recent publications can be found on our security research blog.
About you
If you think you match at least 70% of these criteria, please apply!
Here's what we consider essential for success in this role:
5+ years of experience working in a security engineer role, with 2+ years dedicated to research-related work, or equivalent.
Strong offensive security background (pentesting, vulnerability research, or red team experience) with the ability to think like an attacker and translate that into defensive insights.
Experience with reverse engineering (binary analysis, malware inspection, malicious packages) and API/web security (OAuth, JWT, token validation, secret exposure patterns).
Comfortable working with modern infrastructure, such as cloud platforms (AWS, GCP, or Azure) or AI/LLM ecosystems, and able to assess their specific security implications.
Leverage AI tools actively in your day-to-day research workflow, whether for automation, analysis, or accelerating prototyping.
Proficient in at least one system or scripting language (Python, Go, or Rust), fluent with a terminal, and able to independently retrieve, transform, and analyze datasets to support research conclusions.
Track down complex security problems in software and infrastructure and define their solutions.
Enjoy hacking things and rapidly prototyping ideas.
Drive research autonomously, identify topics, conduct investigations, and publish findings, while partnering with engineering and product teams to translate insights into platform improvements.
Public research track record: CVEs, conference presentations, open-source tooling, or technical publications.
Fluent in English (written and spoken), with strong communication skills: you can explain complex vulnerabilities clearly to both technical and non-technical audiences and present at international conferences.
The following skills would strengthen your application but aren't required:
Understand supply chain security, including how attacks propagate through package registries (npm, PyPI, DockerHub), GitHub Actions workflows, and dependency automation tools.
Experience monitoring ongoing attacks, correlating signals across multiple data sources, reconstruct breaches, and having published your findings to the security community.
The interview process
At GitGuardian, we are committed to building a diverse, equitable and inclusive workforce.
We will ask for your gender on the application page to help us understand the diversity of our applicant pool and to track our progress in attracting and hiring a diverse workforce. The information is optional and will not be disclosed to the hiring manager or the interview team and will not be considered in the hiring process. We appreciate your willingness to share this with us so that we can continue to improve our diversity and inclusion efforts.
1. First Screening Call (Virtual)
To discover your professional project and evaluate if there could be a mutual match.
2. Interview with your future manager
To walk through your offensive security background and how you take research from idea to published finding.
3. Technical Test / Research Case (2 sessions x 60 min)
First session (Engineering focused) example tasks might include parsing a dataset of potential secret exposures, building a detector for a specific credential type, or investigating an internal security incident from telemetry data
Second session (Research focused) example tasks might include investigating a credential leak by digging into source code and CI logs, then pivot into cloud infrastructure using the exposed credentials
4.1 Meet the team (onsite)
An on-site lunch with the research and marketing team members, to meet the people you'll publish and work with.
4.2 Final Interview with an Executive Member
To detail our company’s vision and ambitions for the next couple of years.
5. References check
You can start thinking about two contacts who can attest to your previous or current professional experiences. These contacts should be as recent as possible, and we will call them at the end of the process.
Benefits
💰 Package that includes BSPCE
🍜 Lunch voucher (Swile, 12€ at 50%)
👟 Sponsored Wellpass (gymlib)
🏥 Non-charged health insurance for children (Sidecare / Generali)
💻 Up to €300 to improve your home office set-up
🌴 Yearly holiday allowance
🤝 Referral bonus of 4000€ for any new Guardian we might hire thanks to you
🎡 Team building: monthly budget dedicated to each employee that you can spend as you wish, with colleagues (latest examples to date: Michelin star restaurant, karaoke, stand-up show, kitesurfing week-end, ...)
And also...
🏡 Remote policy: hybrid (3 days/week at the office in Paris)
📈 Opportunities for career development in the long term
More about GitGuardian!
Products
Understand how GitGuardian works in this short video!
Want to go even further? Check out our public roadmap!
Check out the State of Secrets Sprawl Report to understand our mission and the industry.
Our solutions are already used by hundreds of thousands of developers in all industries and GitGuardian platform is the n°1 app on the GitHub marketplace 🔥
Clients
GitGuardian helps organizations find exposed sensitive information that could often lead to tens of millions of dollars in potential damage.
More than 70% of our customers are in the United States.
Many F500 companies use GitGuardian's platform.
People
The Guardians are knowledgeable, committed, serious, aligned with the company’s mission, and true team players: always willing to help each other grow our skill sets!
The team is diverse and we hail from more than 20 different countries.
We are also agile, remote-friendly, and fun people to work with.
You will get trust & autonomy on your perimeter with a very transparent internal communication and a strong impact on the company development.
