Whitehat Security Specialist - US

Real is a fast-growing national real estate brokerage powered by technology. Real is currently operating in all U.S. states, Canada, and the District of Columbia. Founded in 2014, Real is a trailblazer in the Residential Real Estate industry, as we lead the disruption with our cutting-edge technology platform. We are on a mission to revolutionize the home-buying and selling process, making agents' lives better while creating lucrative financial opportunities for them.

For more information, visit https://www.onereal.com/

Location: US - Remote.

Work Schedule: MUST be willing to work Eastern (EST) time zone hours, regardless of location.

Job Summary:

​​We are seeking a skilled and proactive Whitehat Security Specialist to join our growing R&D team at Real. As a Whitehat Security Specialist, you will be responsible for identifying, assessing, and mitigating security vulnerabilities across our company's infrastructure, applications, and systems. You will play a critical role in safeguarding our organization's data, networks, and technology assets by performing penetration testing, vulnerability assessments, and security audits. Your expertise will help us proactively identify weaknesses and develop strategies to defend against malicious cyber-attacks.

What you’ll do:

• Perform in-depth penetration testing and vulnerability assessments on web apps, infrastructure, and cloud-native systems to uncover and address security gaps.

• Lead threat modeling efforts and proactively identify potential attack vectors across our cloud and application stack.

• Secure cloud-native architectures by working closely with engineering teams to design and implement best-practice security in our AWS environment using Terraform and AWS CDK.

• Evaluate and improve the security of our AWS networking configuration (VPCs, Security Groups, NACLs, etc.) and IAM policies.

• Support and collaborate on incident response efforts—investigating security events, coordinating response, and helping strengthen our detection and recovery capabilities.

• Contribute to security audits, code reviews, and internal tooling that promote robust security throughout our infrastructure and SDLC.

• Automate vulnerability scanning and security testing pipelines to support a fast-moving CI/CD environment.

• Collaborate cross-functionally with developers, infrastructure engineers, and product teams to instill security-minded practices and drive secure design decisions.

• Create clear and actionable documentation around findings, fixes, and internal security guidelines.

• Support security awareness through internal training, tooling, and guidance to promote a security-first culture.

Who you are:

• You have 5+ years of hands-on experience in penetration testing, vulnerability assessments, or similar offensive security work.

• You have deep knowledge of networking fundamentals and common attack vectors—especially in cloud and web environments.

• You have strong knowledge of cloud-native security—especially in AWS—
  and are confident navigating and securing services like EC2, EKS, IAM, VPC, S3, ALB/NLB.

• You have experience with observability and monitoring tools like Datadog, particularly for detecting security anomalies, monitoring attack surfaces, and supporting incident response.

• You are experienced with networking protocols and cloud perimeter security (Security Groups, NACLs, route tables).

• You are comfortable using IaC tools like Terraform and AWS CDK to implement and secure infrastructure.

• You’ve built or maintained security automation tools using Python, Bash, or similar scripting languages.

• You’re familiar with cloud risk assessments and threat modeling methodologies, including frameworks like OWASP, NIST, and CIS Benchmarks.

• You enjoy keeping up with the latest in offensive and defensive security techniques, and you’re excited to continuously improve security posture across systems.

• You’re a strong communicator who can clearly explain risk and security decisions to both technical and non-technical teammates.

• You take initiative, thrive in ambiguity, and enjoy collaborating with others to solve hard, meaningful problems.

Our infrastructure stack:

• Cloud: AWS

• IaC: AWS CDK (TypeScript), Terraform

• Containerization & Orchestration: Microservice architecture deployed via Kubernetes on EKS, using ArgoCD and a GitOps workflow

• CI/CD: TeamCity

• Monitoring & Observability: Datadog

• Messaging & Storage: Kafka (MSK), Postgres (RDS), DynamoDB

Education and Experience:

• Bachelor’s degree in Cybersecurity, Information Security, Computer Science, or a related field (or equivalent practical experience).

• 3+ years of hands-on experience in penetration testing, vulnerability assessments, and ethical hacking.

• Previous experience working in an information security role, preferably with a focus on application security, network security, or incident response.

• Experience with security testing on various platforms, including web applications, mobile apps, and cloud environments.

Must-Have: Ability to truly encompass our Company Core Values

• Work Hard. Be Kind

• “We” are bigger than “me”

• Tech x Humanity

Real is proud to be an equal opportunity workplace employer. We are committed to equal employment opportunities regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity, or Veteran status.