Senior Security Researcher in London

About Us

Devtech provides digital innovation services that help Fortune 1000 and emerging companies transform, scale and disrupt. We partner with our clients to envision and develop next-gen digital and cloud solutions that drive impactful business outcomes through people and technology. Our mission is to empower every innovative business in the world to do what they do best, even better. Founded in 2012, Devtech successfully bootstrapped the business for many years before securing institutional growth capital in 2022 and 2024 to fuel our next stages of growth. We are a team of over 300 professionals across Europe and North America, and our continued growth is a testament to the quality of work our teams produce. At Devtech, we’re fostering an environment of autonomy, mastery, and purpose, where our team members can grow and thrive. As we continue to scale globally, we're excited to welcome new team members who share our curiosity and growth mindset, and are ready to make an impact!

What You Will Do

We're building a platform in the software supply chain security space. Our mission is to catch malicious packages, compromised CI/CD pipelines, and supply chain attacks before they reach our customers' production systems, servers, or developer desktops. We're looking for a Senior Security Researcher to own the detection pipeline end-to-end, which includes the systems that ingest packages, surface malicious findings, identify suspicious behavior, triage findings, and publish the research that both protects our customers and establishes our voice in the community. This is a hands‑on role. You'll be designing detection pipelines, reviewing flagged packages, writing code, hunting threats, disclosing vulnerabilities, and publishing your work.

• Design the systems that scan open-source packages (npm, PyPI, RubyGems, Maven, Go modules, GitHub Actions, container images, and more) for malicious behavior at scale.
• Tune signals, reduce false positives, and add new detection techniques as attackers evolve.
• Actively find novel malicious packages, typosquats, dependency confusion attempts, compromised maintainers, and CI/CD abuse patterns.
• Coordinate with maintainers, foundations, and registries, file CVEs, work with GitHub Security Advisories, the OSV schema, and platform security teams.
• Turn every significant finding into a blog post that's fast, clear, and technically rigorous that gets shared in security newsletters and lands on places like Hacker News.
• Build internal tooling that uses static analysis and AI models to triage findings, summarise package diffs, and cluster related campaigns.
• Your findings feed directly into what we build. Expect to sit in on roadmap discussions and push back when detection logic in the product doesn't match what you see in the wild.
• Stay up-to-date with the latest sandbox evasion and detection measures and create countermeasures and red‑teaming exercises.
• Keeping a tight line between false positives and false negatives in our detection pipeline to ensure a well‑curated and trusted set of threat intelligence.

What you will need

• A track record of finding real vulnerabilities - published CVEs, GHSAs, or equivalent advisories with your name on them.
• Deep familiarity with multiple vulnerability classes like malicious packages, RCE, prototype pollution, deserialization, SSRF, auth bypasses, CI/CD‑specific attack paths and memory corruption.
• Experience designing and operating a detection, scanning, or analysis pipeline at scale that run continuously and produce signal.
• Strong programming skills in at least one of TypeScript, Python, Go, or Rust.
• Comfortable reading code in languages you don't write daily (JavaScript, Ruby, Java, PHP, etc).
• Proven ability to write a good blog post fast.
• Hands‑on use of LLMs as a research tool.
• Understanding of LLMs to know where they break, which prompts and models work best, and when to reach for a model vs. when not to.
• Prior work on software supply chain attacks.
• Contributions to OpenSSF, OSV, Sigstore, SLSA, or adjacent projects are a plus.
• Reverse engineering chops - obfuscated JavaScript droppers, packed binaries, malicious post‑install scripts are a plus.
• A conference talk or two (DEF CON, Black Hat, BSides, OffensiveCon, Kaspersky SAS) is a plus.
• Experience with eBPF, sandboxing, or dynamic analysis infrastructure is a plus.

What we offer

• Private health insurance.
• 25 days of vacation / PTO.
• 7 days of sick leave at 100% pay.
• Outstanding referral bonuses.
• Paternity leave – 15 days for new dads.
• Reduced working hours for the first month after returning from maternity.
• Development program (training & conferences, internal knowledge sharing).
• Flexible work environment.