Summer/Fall 2026 - Cybersecurity Engineering Internship

About Us

We're building a transformative healthcare accreditation platform that is revolutionizing how hospitals manage compliance, quality improvement, and regulatory processes. Our platform combines cutting-edge technology with deep healthcare domain expertise to solve real problems for healthcare organizations nationwide. We are SOC 2 Type 2 certified and HIPAA compliant, and are actively pursuing ISO 27001 certification and GDPR readiness.

The Opportunity

The goal is to have interns turn into full-time employees; therefore, you will be given full-time responsibilities from day one. You will be working in a high-velocity growth startup and will be required to move fast. You'll work directly with our engineering and security teams on production healthcare systems, gaining hands-on experience with penetration testing, cloud security, and compliance operations while making real contributions that impact our product and customers.

Compensation Structure

Base position is unpaid; however, qualified candidates may receive upfront equity compensation based on their experience level and demonstrated capabilities. We evaluate each applicant individually and offer equity packages commensurate with their potential contribution.

About the Role

We're hiring a Cybersecurity Intern focused on Penetration Testing & Cloud Security. This role is split between offensive security — finding and exploiting vulnerabilities across our web applications, APIs, and cloud infrastructure — and defensive hardening of our AWS environment. You'll also contribute to our compliance posture as we maintain SOC 2 and HIPAA while working toward ISO 27001 and GDPR readiness.

Requirements

• Penetration testing fundamentals: Understanding of web application and API security testing methodologies (OWASP Top 10, PTES, or similar frameworks)
• Cloud security: Experience with AWS security concepts — identity and access management, network segmentation, encryption, and logging
• Networking & infrastructure security: Understanding of firewalls, VPNs, TLS/SSL, DNS security, and least-privilege network design
• Compliance frameworks: Working knowledge of at least one: SOC 2, HIPAA, ISO 27001, or GDPR — and willingness to learn the others
• Scripting & automation: Python or Bash for security automation, exploit development, log parsing, and vulnerability scanning workflows
• Version control: Git for code and configuration versioning
• Collaborative mindset: Ability to work within a specialized team structure and move fast in a startup environment

Nice to Have

• Hands-on experience with pen testing tools (Burp Suite, OWASP ZAP, Metasploit, Nmap, Nikto)
• Experience with SIEM tools (Splunk, Datadog Security, or AWS-native equivalents)
• Exposure to infrastructure-as-code security scanning (Terraform, CloudFormation, Checkov, tfsec)
• Knowledge of container security (Docker image scanning, runtime security)
• Bug bounty participation or CTF competition experience
• Healthcare or regulated industry experience
• Relevant certifications or coursework: CompTIA Security , OSCP, CEH, AWS Security Specialty, or similar

What You'll BuildPenetration Testing & Offensive Security

• Web application testing: Conduct structured penetration tests against our platform — identifying injection flaws, broken authentication, access control bypasses, and business logic vulnerabilities aligned with the OWASP Top 10
• API security assessments: Test REST API endpoints for authentication weaknesses, improper authorization, rate limiting gaps, mass assignment, and data exposure risks
• Cloud infrastructure testing: Assess our AWS environment for misconfigurations, privilege escalation paths, exposed services, and insecure default settings
• Vulnerability discovery and reporting: Document findings with clear severity ratings, reproducible proof-of-concept exploits, and actionable remediation guidance for engineering teams
• Red team exercises: Participate in simulated attack scenarios — social engineering, phishing simulation, and adversary emulation — to test organizational security awareness and incident response readiness

Cloud Security & Hardening

• Identity and access management: Audit and enforce least-privilege access policies across AWS services — eliminating over-permissioned roles and implementing conditional access controls
• Network security: Review and harden network segmentation, security groups, and perimeter controls to isolate sensitive healthcare data workloads
• Encryption and secrets management: Verify and improve encryption-at-rest and in-transit across all platform services, and enforce secrets rotation and key management best practices
• Threat detection and monitoring: Configure and tune cloud-native detection and logging services to identify anomalous access patterns, unauthorized API calls, and potential data exfiltration attempts
• Secure configuration baselines: Develop and enforce security benchmarks (CIS, AWS Well-Architected) across cloud resources, with automated drift detection

Compliance & Governance

• ISO 27001 readiness: Assist in developing and documenting Information Security Management System (ISMS) policies, controls, and evidence aligned to Annex A requirements
• GDPR data protection: Help implement data subject access request (DSAR) workflows, consent management mechanisms, data processing inventories, and cross-border data transfer controls
• SOC 2 continuous compliance: Maintain and improve existing SOC 2 Type 2 controls — gathering evidence, monitoring control effectiveness, and remediating gaps identified in audits
• HIPAA security rule alignment: Support ongoing HIPAA compliance by reviewing technical safeguards, access controls, and audit trail requirements across the platform
• Policy and procedure documentation: Draft and maintain security policies, incident response playbooks, and risk assessment documentation for internal use and auditor review

Key Responsibilities

• Conduct penetration tests against web applications, APIs, and cloud infrastructure — documenting findings with severity ratings and remediation steps
• Audit and harden identity and access management policies, network configurations, and encryption settings across AWS
• Perform vulnerability assessments and work with engineering teams on prioritized remediation
• Participate in red team exercises including phishing simulations, adversary emulation, and social engineering assessments
• Support ISO 27001 certification efforts by developing ISMS documentation, control mappings, and audit evidence
• Implement GDPR data protection controls including DSAR workflows, data inventories, and consent management
• Maintain SOC 2 Type 2 continuous compliance — evidence collection, control monitoring, and gap remediation
• Automate security workflows using Python and Bash — vulnerability scanning, compliance checks, and reporting
• Participate in incident response exercises and help refine detection and escalation procedures
• Collaborate with engineering teams to embed security into development workflows (shift-left security practices)

Required Qualifications

Candidates must meet all Core Qualifications plus demonstrate depth in the Penetration Testing & Cloud Security focus area.

Core Qualifications

• Intermediate to advanced Python or Bash scripting skills (1 years)
• Git for version control and collaborative development workflows
• Understanding of networking fundamentals (TCP/IP, DNS, HTTP/S, TLS)
• Familiarity with AWS or equivalent cloud platforms

Penetration Testing & Cloud Security

• Understanding of web application security testing methodologies (OWASP Top 10, PTES, OSSTMM)
• Hands-on experience with at least one pen testing tool (Burp Suite, OWASP ZAP, Metasploit, Nmap)
• Familiarity with AWS security concepts — IAM, VPC networking, encryption services, and logging
• Familiarity with at least one compliance framework: SOC 2, HIPAA, ISO 27001, or GDPR
• Knowledge of encryption standards and key management (AES-256, TLS 1.2 )
• Understanding of SIEM or centralized logging concepts
• Security-related coursework, certifications, CTF participation, or bug bounty experience

Nice to Have

• OSCP, CEH, CompTIA Security , or AWS Security Specialty certification (or in progress)
• Bug bounty hall of fame entries or published vulnerability disclosures
• Healthcare or regulated industry experience
• Experience writing incident response playbooks or security documentation
• Familiarity with infrastructure-as-code security scanning (Checkov, tfsec, Prowler)
• Knowledge of container and serverless security hardening
• SOC 2 audit evidence gathering or ISO 27001 ISMS development
• Familiarity with zero-trust architecture principles

Our Hiring Process

We believe in a transparent and thorough selection process that respects your time while ensuring mutual fit:

1. Initial Screening Call — We'll discuss your background, experience, and career goals, while providing an overview of the role and our team culture.
2. Technical Challenge (issued on a case-by-case basis) — You'll receive a real-world security challenge to complete within a specified timeframe. We encourage you to leverage all available resources — including AI tools, documentation, and reference materials — just as you would in a production environment. This reflects how we actually work and allows you to showcase your problem-solving approach.
3. Technical Interview — We'll have an in-depth discussion about your solution and explore related security concepts. You should be prepared to walk through every aspect of your submission — explaining threat models, attack vectors, tool selection, trade-offs, and potential improvements. Whether you wrote specific scripts manually or generated them with AI assistance, you must demonstrate complete ownership and understanding of the entire submission. This is a production-level assessment: we expect you to discuss, debug, and defend your work as if it were going live tomorrow.

We're looking for security-minded engineers who can think like attackers, assess risk, and truly understand the systems they protect — not just those who can run scans.

Ready to apply? We look forward to hearing from you!