WAF Adversarial Engineer

Software Guidance & Assistance, Inc., (SGA), is searching for a WAF Adversarial Engineer for a contract assignment with one of our premier SaaS clients in Seattle, WA. Will also consider remote candidates., * Run adversarial test campaigns against Adobe's WAF stack (Akamai, AWS WAF, Fastly, and Cloudflare) after each rule update cycle.

• Target encoding evasion, HTTP parsing differentials between WAF and origin, request smuggling, chunked encoding manipulation, multipart boundary abuse, Unicode normalization gaps, and logic layer bypasses.
• Build and maintain a versioned WAF bypass library, organized by vulnerability class (SQLi, XSS, SSRF, path traversal, SSTI, etc.), validated against staging and production WAF configurations, and updated as platforms and rules evolve.
• Conduct adversarial testing of API endpoints behind the WAF, including business logic abuse, BOLA/BFLA, mass assignment, and parameter manipulation. Document explicitly which classes of attack the WAF can and cannot reliably cover.
• Triage complex false positive investigations that cannot be resolved through log analysis alone - reproduce the ambiguous traffic from the attacker side and recommend targeted rule adjustments.
• Produce concise validation reports that translate offensive findings into testable rule candidates the team can refine and deploy. Each deliverable is a reproducer plus a rule recommendation, not a "bypass confirmed " note.
• Provide adversarial perspective during active edge incidents - likely attacker behavior, blind spots, next probable moves.
• Operate as the continuous validation function for the WAF program, integrated with the team's rule update cadence rather than running standalone pentest engagements.

• Demonstrated WAF bypass experience against at least two commercial WAF platforms (Akamai, AWS WAF, Fastly, or Cloudflare).
• Deep working knowledge of HTTP protocol edge cases that affect WAF inspection: request smuggling primitives, chunked transfer encoding abuse, multipart boundary manipulation, Unicode normalization differentials, and header injection patterns.
• Web application penetration testing track record with WAF-specific scope. OSCP, BSCP, OSWE, or a portfolio of disclosed bypasses, conference talks, or prior validation engagements against WAF-protected assets. Tool-running alone does not qualify. - Proven ability to translate offensive findings into defensive artifacts - reproducer plus rule candidate, not just a finding.
• Strong scripting in Python or Go for building test harnesses, payload generators, and replay tooling.
• Comfortable working in CI/CD pipelines and cloud environments (AWS or Azure). Plug into existing infrastructure rather than build it.
• Education: Bachelor's degree in Computer Science, Computer Engineering, Information Security, or a related technical field, or equivalent demonstrated experience.

Preferred Skills:

• API-specific attack surface depth: GraphQL injection, BOLA/BFLA, mass assignment.
• Akamai platform internals: KRS / ASE rule engine, custom Lua / EdgeWorkers exposure.
• Bot evasion at the behavioral layer: headless browser fingerprinting bypass, behavioral mimicry.
• Familiarity with edge-layer LLM/GenAI guardrails (OWASP LLM Top 10, prompt injection mitigation at the WAF tier).
• Public security research, CVE disclosures, or conference talks demonstrating original bypass work.

SGA is a technology and resource solutions provider driven to stand out. We are a women-owned business. Our mission: to solve big IT problems with a more personal, boutique approach. Each year, we match consultants like you to more than 1,000 engagements. When we say let's work better together, we mean it. You'll join a diverse team built on these core values: customer service, employee development, and quality and integrity in everything we do. Be yourself, love what you do and find your passion at work. Please find us at .