WAF Adversarial Engineer

You’ll be joining Adobe on a contract opportunity, employed through NextDeavor

Benefits You'll Love

NextDeavor offers health, vision and dental benefits for contract employees Paid sick leave eligibility is contingent on state of residence Optional 401k Plan (excludes employer match) Opportunity to get your foot in the door at a well-established corporation, with potential for extended or permanent full-time employment

Become a Key Player as a WAF Adversarial Engineer

You will validate and harden the client's web application firewall (WAF) program by running continuous adversarial testing and translating offensive findings into actionable rule candidates. Your work will influence edge security, incident response, and rule-deployment cadence across the security and engineering teams. This role is hybrid/remote with Seattle preferred and open to remote candidates.

Here's How You'll Make an Impact on the Team

• Run adversarial test campaigns against the client's WAF stack after each rule update cycle, targeting encoding evasion, HTTP parsing differentials, request smuggling, and other edge-layer weaknesses.
• Build and maintain a versioned WAF bypass library organized by vulnerability class (e.g., SQLi, XSS, SSRF, path traversal, SSTI) and validate against staging and production WAF configurations.
• Conduct adversarial testing of API endpoints behind the WAF (business logic abuse, BOLA/BFLA, mass assignment, parameter manipulation) and document which attack classes the WAF can and cannot reliably cover.
• Triage complex false positives by reproducing ambiguous traffic from the attacker side and recommending targeted rule adjustments.
• Produce concise validation reports that deliver a reproducer plus a rule recommendation suitable for refinement and deployment.
• Provide adversarial perspective during active edge incidents, identifying likely attacker behavior, blind spots, and next probable moves.
• Integrate continuous validation into the team's rule update cadence rather than running standalone penetration tests.

Here's What You'll Need to Be Successful in This Role

• Demonstrated WAF bypass experience against at least two commercial WAF platforms (e.g., Akamai, AWS WAF, Fastly, Cloudflare).
• Deep working knowledge of HTTP protocol edge cases affecting WAF inspection: request smuggling primitives, chunked transfer encoding abuse, multipart boundary manipulation, Unicode normalization differentials, and header injection patterns.
• Proven web application penetration testing track record with WAF-specific scope; tool-running alone does not qualify.
• Certifications or demonstrated outputs such as OSCP, BSCP, OSWE, or a portfolio of disclosed bypasses, conference talks, or prior validation engagements.
• Strong scripting skills in Python or Go for building test harnesses, payload generators, and replay tooling.
• Comfortable working in CI/CD pipelines and cloud environments (AWS or Azure) and integrating with existing infrastructure.
• Bachelor's degree in Computer Science, Computer Engineering, Information Security, or a related technical field, or equivalent demonstrated experience.

Here's What Else Might Help You Out

• Deep API-specific attack knowledge: GraphQL injection, BOLA/BFLA, mass assignment.
• Familiarity with Akamai internals (KRS / ASE rule engine, custom Lua / EdgeWorkers).
• Experience with bot evasion techniques at the behavioral layer (headless browser fingerprinting bypass, behavioral mimicry).
• Familiarity with edge-layer LLM/GenAI guardrails and prompt injection mitigation at the WAF tier.
• Public security research, CVE disclosures, or conference talks demonstrating original bypass work.

Pay Range

$56.34 - $70.42/hour

Ready to Make Your Mark?

This role may fill quickly. Submit your resume to be considered.