WAF Adversarial Engineer

Software Guidance & Assistance, Inc., (SGA), is searching for a WAF Adversarial Engineer for a contract assignment with one of our premier SaaS clients in Seattle, WA. Will also consider remote candidates.

Responsibilities:

Run adversarial test campaigns against Adobe's WAF stack (Akamai, AWS WAF, Fastly, and Cloudflare) after each rule update cycle. Target encoding evasion, HTTP parsing differentials between WAF and origin, request smuggling, chunked encoding manipulation, multipart boundary abuse, Unicode normalization gaps, and logic layer bypasses. Build and maintain a versioned WAF bypass library, organized by vulnerability class (SQLi, XSS, SSRF, path traversal, SSTI, etc.), validated against staging and production WAF configurations, and updated as platforms and rules evolve. Conduct adversarial testing of API endpoints behind the WAF, including business logic abuse, BOLA/BFLA, mass assignment, and parameter manipulation. Document explicitly which classes of attack the WAF can and cannot reliably cover. Triage complex false positive investigations that cannot be resolved through log analysis alone - reproduce the ambiguous traffic from the attacker side and recommend targeted rule adjustments. Produce concise validation reports that translate offensive findings into testable rule candidates the team can refine and deploy. Each deliverable is a reproducer plus a rule recommendation, not a "bypass confirmed " note. Provide adversarial perspective during active edge incidents - likely attacker behavior, blind spots, next probable moves. Operate as the continuous validation function for the WAF program, integrated with the team's rule update cadence rather than running standalone pentest engagements.

Required Skills:

Demonstrated WAF bypass experience against at least two commercial WAF platforms (Akamai, AWS WAF, Fastly, or Cloudflare). Deep working knowledge of HTTP protocol edge cases that affect WAF inspection: request smuggling primitives, chunked transfer encoding abuse, multipart boundary manipulation, Unicode normalization differentials, and header injection patterns. Web application penetration testing track record with WAF-specific scope. OSCP, BSCP, OSWE, or a portfolio of disclosed bypasses, conference talks, or prior validation engagements against WAF-protected assets. Tool-running alone does not qualify. - Proven ability to translate offensive findings into defensive artifacts - reproducer plus rule candidate, not just a finding. Strong scripting in Python or Go for building test harnesses, payload generators, and replay tooling. Comfortable working in CI/CD pipelines and cloud environments (AWS or Azure). Plug into existing infrastructure rather than build it.

Education:

Bachelor's degree in Computer Science, Computer Engineering, Information Security, or a related technical field, or equivalent demonstrated experience.

Preferred Skills:

API-specific attack surface depth: GraphQL injection, BOLA/BFLA, mass assignment.

Akamai platform internals:

KRS / ASE

rule engine, custom Lua / EdgeWorkers exposure. Bot evasion at the behavioral layer: headless browser fingerprinting bypass, behavioral mimicry. Familiarity with edge-layer LLM/GenAI guardrails (OWASP LLM Top 10, prompt injection mitigation at the WAF tier). Public security research, CVE disclosures, or conference talks demonstrating original bypass work. SGA is a technology and resource solutions provider driven to stand out. We are a women-owned business.

Our mission:

to solve big IT problems with a more personal, boutique approach. Each year, we match consultants like you to more than 1,000 engagements. When we say let's work better together, we mean it. You'll join a diverse team built on these core values: customer service, employee development, and quality and integrity in everything we do. Be yourself, love what you do and find your passion at work. Please find us at . SGA is an Equal Opportunity Employer and does not discriminate on the basis of Race, Color, Sex, Sexual Orientation, Gender Identity, Religion, National Origin, Disability, Veteran Status, Age, Marital Status, Pregnancy, Genetic Information, or Other Legally Protected Status. We are committed to providing access, equal opportunity, and reasonable accommodation for individuals with disabilities in employment, and our services, programs, and activities. Please visit our company to request an accommodation or assistance regarding our policy.