Cossack Labs

This position is open exclusively for Ukrainian residents within Ukraine (preferably Kyiv or Lviv).

We are looking for an Security Solutions Architect to join our Security Engineering team and work with us on building secure software and solutions for our customers. If you are interested in designing and building security solutions that address complex risks and threats, reviewing and implementing API protocols and subsystems, designing security controls, working hand-in-hand with software developers to build secure systems — this may be the position for you.

Main responsibilities:

• Architect security features, modules and protocols in mission critical software, ensuring alignment with business objectives, functional and non-functional requirements.
• Assess and evaluate the security design of systems, components and their API.
• Search for security weaknesses in software designs from novel fields and areas.
• Perform risk analysis and threat modelling to evaluate available and missing security controls.
• Collaborate with stakeholders, including developers, product managers, and executives, to gather requirements and translate them into security architecture.
• Participate in SSDLC for our products and our customers’ products. Explain architecture choices, work together with developers to select security controls that would improve security without restricting usability/performance.
• Stay up to date with emerging security threats, vulnerabilities, and controls (read articles and papers, follow CVE updates, understand how threat landscape is changing, understand how to apply described ideas, read NIST guidelines).
• Dive into application security, infrastructure security, cloud and on-prem infrastructures, dedicated hardware, IoT security, ML security, and weird stuff beyond casual imagination with our team of skilled engineers. See example of our work.
• Share your work as conference talks, blogposts (see React Native security example, contribute to open source standards like OWASP.

Requirements:

• 2+ years as Solution Architect or similar position.
• Experience designing and implementing security controls in a technically diverse environment.
• Experience in performing design review for multi-component systems (web, cloud, hardware).
• Understanding security standards and methodologies (NIST, ISO, CMMI, SOC).
• Understanding SSDLC and its difficulties. OWASP SSDLC, NIST SSDF.
• Communication skills: you will communicate about security technical topics with both technical and non-technical audiences (C-level managers, developers, product owners).
• An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls. How to combine detective, preventive and corrective controls.
• Experience in popular security tools required for the job, or ability to learn them quickly.
• English level B2+.

Nice to have:

• Understanding risk management and threat modelling (NIST RMF, FAIR, STRIDE, MITRE ATT&CK).
• Understanding of application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS, OWASP MASVS.
• A certain area of expertise and deep interest: web, cloud, IoT, infrastructure — an area where you have “seen things” and ready to share experience.
• Experience with clouds: AWS, Azure, GCP, understanding the “cloud responsibility gap”.
• Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
• Knowledge in one of several business domains: banking / finance / payment processing, cryptocurrencies.
• Practical experience in any programming language.

Hiring process:

• Resume review — up to 5 business days.
• Introductory meeting with the Head of security engineering.
• Test task — estimated time 1-3 hours.
• Technical interview with several team members.
• Offer discussion.

What’s in it for you?

• Competitive compensation with a flexible and clear bonus scheme.
• Paid vacation — 21 business days per calendar year.
• Paid sick leaves.
• Hybrid work model: this position allows for a combination of in-office and remote work as needed.
• Combining technologies: hardware engineering, software engineering, cryptography, information security.
• You will work with people deeply interested in security engineering, you will learn a lot
• Reasonable time budgets and an attitude to build things well — we prioritise building for decades, rather than just until the next release.
• Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a a lot in talks, workshops, and blog posts.
• Public track record in the open-source aspect of our products.

This position is open exclusively to Ukrainian residents within Ukraine (preferably Kyiv).
 

We are hiring a Senior Node.js Engineer who will primarily build and evolve our web platform while serving as the first-line responder during business hours, seven days per week. Most days pass without incidents and weekend requests are rare; your time will largely focus on development across Node.js, React, and PostgreSQL.
 

Main responsibilities:

• Contribute the majority of your time to product development: design, implementation, and testing.
• Deliver high-quality Node.js services and React UI changes; write maintainable, well-tested code.
• Design SQL beyond ORM abstractions; analyze queries, optimize performance, and evolve schemas.
• Improve reliability by creating runbooks, post-incident reviews, and automation for recurring tasks.
• Own rapid first response during business hours via instant messenger and an emergency phone line.
• Triage, reproduce, and diagnose issues across the stack; restore service quickly where possible.
• Apply safe workarounds, configuration tweaks, or hotfixes; execute rollbacks when needed.
• Escalate efficiently to the development team with clear context, logs, impact, and proposed next steps.
• Communicate status and timelines to internal stakeholders and customer contacts.
• Enhance monitoring and alerting; instrument services for actionable logs, metrics, and traces.
   

Requirements:

• Senior-level experience building production Node.js applications.
• React familiarity for practical UI issues diagnosis.
• PostgreSQL expertise and strong SQL skills beyond ORM usage, including query design and tuning.
• Hands-on experience with incident triage, root-cause analysis, and production debugging.
• Comfortable with Linux servers and on-prem fundamentals (DNS, TLS, certificates, basic networking).
• Proficient with Git workflows and CI/CD practices.
• Familiarity with observability (logs, metrics, traces) and structured troubleshooting.
   

Nice to have:

• Python or Go experience for tooling, services, or automation.
• Solid understanding of Docker for local development and packaging.
• Knowledge of reverse proxies/load balancers (Nginx, HAProxy, Traefik).
• Exposure to container orchestration (Docker Swarm or Kubernetes) and IaC (Terraform/Ansible).
• Practical experience in diagnosing infrastructure problems: resources congestions, network connectivity issues, PKI and other protocol-level security problems.
• Experience with Sentry, Prometheus/Grafana, ELK/OpenSearch, or OpenTelemetry.
   

Hiring Process:

• Resume review — up to 5 business days.
• Introductory meeting with the Systems/Software Architect.
• Technical interview with several team members.
• Background check.
• Offer discussion.
   

We Offer:

• Competitive compensation.
• Hybrid work model: combination of in-office and remote work as needed.
• Paid vacation — 21 business days per year.
• Paid sick leave.
• Exposure to intersecting domains: software development, information security, and cloud/on-prem infrastructure engineering.
• Experience in mission-critical projects.

This position is open exclusively for Ukrainian residents within Ukraine (preferably Kyiv or Lviv).

Cossack Labs is looking for an Application security engineer to join our Security team and work with us on building and breaking software. If you are interested in designing and building security controls, working hand-in-hand with software developers, performing security assessments, this may be the position for you.

We are ready to invest time in your education if you are prepared to work diligently and responsibly. Alongside technical skills, we’ll teach you leadership, time management, business context, and how to keep improving cybersecurity despite the ever-increasing entropy of the world.

Responsibilities:

• Perform security assessment and review of code and behavior of systems (web, API, backends).
• Participate in SSDLC for our products and our customers’ products. Explain risks & threats, work together with developers to select security controls that would improve security without restricting usability/performance.
• Take part in organisation security practices and work with business owners (risk assessment, craft policies for organisations, guide companies for more secure future).
• Stay up to date with emerging security threats, vulnerabilities, and controls (read articles and papers, follow CVE updates, understand how threat landscape is changing, understand how to apply described ideas, read NIST guidelines).
• Dive into application security, infrastructure security, cloud and on-prem infrastructures, dedicated hardware, IoT security, ML security, and weird stuff beyond casual imagination with our team of skilled engineers. See example of our work.
• Share your work as conference talks, blogposts (see Security autotests post), contribute to open source standards like OWASP.

Requirements:

• 2+ years as an application security engineer or similar position.
• Experience in performing security assessment for web applications.
• Experience in selecting or designing security controls in a technically diverse environment.
• Be familiar with application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS.
• Understanding SSDLC (OWASP SSDLC, NIST SSDF).
• Communication skills: you will communicate about security technical topics with both technical and non-technical audiences (C-level managers, developers, product owners).
• An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls.
• Experience in popular security tools required for the job, or ability to learn them quickly (Burp Suite, network analysers, various SAST and DAST, dependency and vulnerability scanners).

Nice to have:

• A certain area of expertise and deep interest: web, mobile, IoT, infrastructure — an area where you have “seen things” and ready to share experience.
• Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
• Understanding security standards and methodologies (NIST, ISO, CMMI, SOC).
• Understanding risk management and threat modelling (NIST RMF, FAIR, STRIDE, MITRE ATT&CK).
• Practical experience in scripting languages: Python or Bash.

Our hiring process:

• Resume review — 1-5 business days.
• Test task — estimated time 3-4 hours.
• Introductory meeting with the Head of security engineering.
• Technical interview with several team members.
• Offer discussion.

What’s in it for you?

• A sense of meaning and responsibility for those who seek purpose — we’re building "invisible texture of modern civilization“—bits of infrastructure finance, power grids, healthcare rely on, and we are trusted with very challenging aspects of it.
• Competitive compensation with a flexible bonus scheme.
• Hybrid work model: this position allows for a combination of in-office and remote work as needed.
• UK, EU and USA clients.
• Working at the crossroads of ML security, cryptographic protocol support, hardware protection, reverse-resilient mobile app development, and securing web apps for millions of users.
• Public track record in the open-source aspect of our products.
• Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops, and blog posts.
• Paid vacation — 21 business days per year.
• Paid sick leaves.

We are a data security solutions company, providing custom bespoke solutions to innovative software development teams around the world. Our software is well-known amongst security-aware teams, recommended by OWASP, and popular for easily solving complicated security challenges. Apart from building “off-the-shelf” solutions, we design custom security controls for novel problems.

We work in the B2B space, with customers such as IIoT, AI / ML based systems, mission critical systems, robotics, navigation, power grid operators, payment processors, financial apps, legal companies, million-user customer applications. We cater to young ambitious startups and well-established enterprises, who use our software and solutions as core part of their security arsenal. Our customers are smart, but extremely demanding.

Markets: EU, UK, USA, UA.