How long does the process take from first call to offer?

Median two weeks for security roles, two-and-a-half for sales and engagement (extra discipline interview). We aim to send the founders-round feedback within two business days. If you go silent on us, we will follow up once. If we go silent on you, please email info@securelayer7.net, we read everything.

Is the CTF round really original, or is it CTF-time-of-old?

Original. Our team builds the challenges and rotates them every quarter. They cover the categories actually relevant to our work, web exploit chains, API auth bypass, source-code review, Active Directory primitives. Not the puzzle-box CTFs that teach you nothing about real engagements.

Do you sponsor visas?

Yes for senior security and senior engineering roles into the Austin office; case-by-case for other roles. India entity hires across cities, Pune is the headquartered office. We are honest at the screening call about which path applies to a given role.

I don't have a security background, can I apply for operations or sales?

Yes. Two of the five currently-open roles are non-technical. We care about whether you can scope work, hold a CISO's attention on a call, or keep a research team running, not whether you've held a CISSP. The discipline exercise tests the actual skills your role needs.

What does week one look like?

Day one: laptop, accounts, a buddy from your team. Week one: pair with two researchers (security roles) or shadow two customer calls (engagement / sales). End of week two: ship your first artifact, a finding, a code review, a scoping memo, a proposal. The goal is to feel useful by Friday-of-week-two.

Do you respond to every application?

Yes. Often slowly during peak hiring weeks, but always. If a role is not currently open and you sent a portfolio, we keep your write-up on file and reach out when the next slot opens that fits.

Careers

Find what the world missed.

We build offensive security from research to revenue.

Pentesters publish CVEs. Engineers build BugDazz Autonomous. Engagement leads scope the work. Sales names the threat. Operations keeps researchers in flight. Every role ends in the same artifact: an exploit, a patch, a receipt.

The work

What you would actually do.

Six disciplines, one proof chain, research to retest, exploit to patch, sale to renewal.

Research
Find what others miss.
Reverse-engineer software no one else looked at this year. Chain primitives into working exploits. Publish CVEs that name us. Researchers chained CVE-2024-3400 three weeks before public disclosure, the day-one standard.
Engineering
Ship BugDazz Autonomous.
Build BugDazz Autonomous, the pentest engine that runs web apps, APIs, and Active Directory on a customer-set schedule. Tools, infra, integrations, plumbing.
Engagement
Scope before testing.
Run kickoffs with CISOs and platform leads. Translate findings into language regulators sign off on. Pruthvi and Munmun own this, calls, SOWs, the memo that goes to the board.
Sales
Proof, not pitch decks.
Open conversations with security leads at fintechs, banks, healthcare, telecoms, SaaS. The buyers who want artifacts, not templated PDFs.
Operations
Keep researchers in flight.
Equipment. Visas. Conference travel, DEF CON, Black Hat, OWASP, BSides. The work needs the room to happen.
Customer success
Land remediation, not findings.
The report lands as work in the right team's queue. The retest passes. The next engagement is scoped before the renewal.

Open positions

Roles open right now.

Live from our hiring portal. Apply opens the role on sechire.net, resume, scheduling, references handled there.

Department

Location

Mode

5 of 5 roles

Hiring process

Five rounds. No surprises.

01
Screening
Thirty minutes. Why us, why now, what you have shipped. A pod lead listens more than they ask.
02
Track exercise
Original CTF for security · code review for engineering · scoping sim for engagement · discovery practice for sales. Two hours.
03
Discipline interview
Talk through your exercise with the team you would work alongside.
04
Cross-functional
Meet the adjacent team, the discipline-gap test.
05
Founders
Sandeep and leadership. Offer within five business days.

Median timeline: two weeks. Two-and-a-half for sales and engagement.

What you get

Real comp. Real time to do the work.

Standard line items, written so you know what the offer actually means before you walk into the founders chat.

Compensation: Set against the local market for the role.
Benchmarked to local market data, reviewed yearly. Equity for senior hires.
Conference + training: DEF CON, Black Hat, OWASP, BSides, talks too.
Security track: DEF CON, Black Hat, OWASP, BSides, registration and travel covered. Engineering: pick the technical conferences. Other tracks: same per-head budget, your call on the event.
Research time: A quarterly cadence, not a 20% project.
Pentesters get protected weeks each quarter for original research that ships as a CVE or a public writeup.
Equipment: Whatever the work needs.
A working laptop. Lab hardware for IoT and hardware research. Replaced on the team's standard refresh cycle.
Health + leave: We do not measure adults by attendance.
Medical, dental, vision in each office. Parental leave, PTO, sick leave on each office's local policy.
Office or remote: Austin and Pune are real offices.
People show up. Specific roles are remote, that is noted on the role itself.

The offer letter spells every line out as a number or a policy reference.

SL7 University · for colleges

Final-year students. Six months. From pentest curriculum to intern offer.

If you run a placement cell or head a CS / IT department, SL7 University is a no-fee partnership that puts your students through six months of web, internal, and external network pentest training run by senior SL7 testers. Interviews happen in parallel. Top performers walk into an intern offer before they graduate.

Bring SL7 to your campus

Third-party signal

What people who've worked here actually say.

Public, anonymous, third-party. Numbers come from Glassdoor's own dashboard for SecureLayer7.

4.7Glassdoor ratingACROSS 108 REVIEWS

93%Would recommendTO A FRIEND
4.6Work-life balanceIT INDUSTRY AVG 3.8
88%Positive outlookON THE BUSINESS, 12-MO

Where we work

Two cities, one team.

Austin and Pune. Pentesters, researchers, and engagement leads work from both, local hires, local hours.

Austin · Texas, USA
23:06CST
Pune · Maharashtra, India
09:36IST

On record

The work earns its own credentials.

14 years of offensive research. Every claim backed by a live CVE or a proven exploit.

CREST

Accredited company + accredited testers

SOC 2 Type II

AICPA Trust Services

ISO/IEC 27001

Information Security Management

Mapped to engagement requirements across

SOC 2 Type IIPCI DSSHIPAAISO 27001GDPRNIST CSFFedRAMPand others

FAQ

Processquestions.

Show all 6 questions

Don't see your role? Tell us what you would build here. info@securelayer7.net

Find what the world missed.

We build offensive security from research to revenue.

What you would actually do.

Find what others miss.

Ship BugDazz Autonomous.

Scope before testing.

Proof, not pitch decks.

Keep researchers in flight.

Land remediation, not findings.

Roles open right now.

Red Team Operator

Security Consultant

Application Security Engineer

Associate Security Consultant

Enterprise Cybersecurity Sales

Five rounds. No surprises.

Screening

Track exercise

Discipline interview

Cross-functional

Founders

Real comp. Real time to do the work.

Set against the local market for the role.

DEF CON, Black Hat, OWASP, BSides, talks too.

A quarterly cadence, not a 20% project.

Whatever the work needs.

We do not measure adults by attendance.

Austin and Pune are real offices.

Final-year students. Six months. From pentest curriculum to intern offer.

What people who've worked here actually say.

Two cities, one team.

The work earns its own credentials.

Processquestions.