Principal Consultant - Offensive Security Engineer

We are

At Synechron, we believe in the power of digital to transform businesses for the better. Our global consulting firm combines creativity and innovative technology to deliver industry-leading digital solutions. Synechron’s progressive technologies and optimization strategies span end-to-end Artificial Intelligence, Consulting, Digital, Cloud & DevOps, Data, and Software Engineering, servicing an array of noteworthy financial services and technology firms. Through research and development initiatives in our FinLabs we develop solutions for modernization, from Artificial Intelligence and Blockchain to Data Science models, Digital Underwriting, mobile-first applications and more. Over the last 20+ years, our company has been honored with multiple employer awards, recognizing our commitment to our talented teams. With top clients to boast about, Synechron has a global workforce of 16,850+, and has 60 offices in 20 countries within key global markets.

Our challenge

You’ll bring deep offensive security expertise to the agentic AI vulnerability program. You’ll determine what’s truly exploitable, identify how vulnerabilities chain into real attacks, and validate that AI-generated fixes close the actual root cause — not just suppress scanner alerts. Your offensive analysis, exploit chain reasoning, and false positive judgment will be channeled into AI agents through prompts, evaluation criteria, and workflows that scale your expertise across the bank. You’ll work alongside the vulnerability management team and AI capability suppliers, contributing the deep offensive perspective the program needs.

Additional Information*

The base salary for this position will vary based on geography and other factors. In accordance with law, the base salary for this role if filled within Toronto, ON is CAD $130K - CAD $140K/year & benefits (see below).

The Role

Responsibilities:

• Lead exploitability assessment and false positive analysis across SAST, DAST, SCA, IAST, container, and infrastructure findings — and translate that analysis into reusable AI agent prompts and skills.
• Identify exploit chains across vulnerability classes that traditional scanners miss and encode the reasoning into agent workflows so the capability scales.
• Validate that AI-generated fixes close exploitable conditions, and feed validation patterns back into agent evaluation frameworks.
• Develop offensive prompts, attack scenarios, and evaluation criteria that the agentic AI capability uses to assess findings autonomously.
• Translate offensive insights into prioritization signals and remediation guidance for VM and engineering teams, delivered through AI-driven workflows.

Requirements:

• 10+ years in offensive security with hands-on exploit development, red teaming, and penetration testing.
• At least one of the following certifications: OSCP, OSCE, OSEP, OSWE, GXPN, or GWAPT.
• Demonstrated ability to identify and validate exploit chains across vulnerability classes.
• Deep fluency in vulnerability classes including memory safety, injection, authentication and authorization flaws, deserialization, race conditions, and supply chain attacks — with real exploitation experience, not just theory.
• Strong code reading skills in at least 3 languages relevant to enterprise stacks (Java, Python, JavaScript, C#, Go), with the ability to pick up new languages quickly enough to assess findings in any production code.
• Hands-on experience with application security testing tools (SAST, DAST, SCA, IAST), specifically around false positive analysis and exploitability validation.

Preferred skills:

• Public evidence of offensive capability: published CVEs, conference talks (DEF CON, Black Hat, OffensiveCon, Recon), CTF placements, bug bounty track record, or open-source offensive tooling contributions.
• Software engineering experience and contributions to production codebases.
• Defensive engineering experience building detection and remediation capabilities.
• Working familiarity with frontier LLMs and agentic AI tools applied to security analysis.
• Modern CI/CD and container platform knowledge (Docker, Kubernetes, GitHub Actions, Jenkins).
• Financial services or regulated industry experience with exposure to SOX, SOC1, and audit.
• Hands-on experience with enterprise vulnerability tooling (Tenable, Aqua, Snyk, BrightSec).

We offer:

• A multinational organization with 60 offices in 20 countries and the possibility to work abroad.
• 15 days (3 weeks) of paid annual leave plus an additional 10 days of personal leave (floating days and sick days).
• A comprehensive insurance plan including medical, dental, vision, life insurance, and long-term disability.
• Flexible hybrid policy.
• RRSP with employer’s contribution up to 4%.
• A higher education certification policy.
• On-demand Udemy for Business for all Synechron employees with free access to more than 5000 curated courses.
• Coaching opportunities with experienced colleagues from our Financial Innovation Labs (FinLabs) and Center of Excellences (CoE) groups.
• Cutting edge projects at the world’s leading tier-one banks, financial institutions and insurance firms.
• A truly diverse, fun-loving and global work culture.

S YNECHRON’S DIVERSITY & INCLUSION STATEMENT

Diversity & Inclusion are fundamental to our culture, and Synechron is proud to be an equal opportunity workplace and is an affirmative action employer. Our Diversity, Equity, and Inclusion (DEI) initiative ‘Same Difference’ is committed to fostering an inclusive culture – promoting equality, diversity and an environment that is respectful to all. We strongly believe that a diverse workforce helps build stronger, successful businesses as a global company. We encourage applicants from across diverse backgrounds, race, ethnicities, religion, age, marital status, gender, sexual orientations, or disabilities to apply. We empower our global workforce by offering flexible workplace arrangements, mentoring, internal mobility, learning and development programs, and more.

All employment decisions at Synechron are based on business needs, job requirements and individual qualifications, without regard to the applicant’s gender, gender identity, sexual orientation, race, ethnicity, disabled or veteran status, or any other characteristic protected by law.